Enabling Encryption for your CloudTrail Log Files

You can enable KMS encryption for your CloudTrail log files.

  1. Log into the AWS Console and go to IAM > Encryption Keys > Create Key. The Add alias and description page displays. Enter an alias and a description for the key. Then, click Next.


    CreateAlias.png

  2. The Add tags page displays. You can use tags to categorize and identify your customer master keys (CMKs). Click Next to proceed.
    • Adding tags is optional.

    AddTags.png

  3. The Define key administrative permissions page displays. Click Next.


    DefineKeyPerms.png

  4. The Define key usage permissions page displays. Click Next.


    DefineKeyUsage.png

  5. The Review and edit key policy page displays.


    EditKeyPolicy.png

    Copy the key policy and paste it at the end of the first statement.

    {
    "Sid": "Allow CloudTrail to encrypt logs",

    "Effect": "Allow",

    "Principal": {

    "Service": "cloudtrail.amazonaws.com"

    },

    "Action": "kms:GenerateDataKey*",

    "Resource": "*",

    "Condition": {

    "StringLike": {

    "kms:EncryptionContext:aws:cloudtrail:arn": [

    "CLOUDTRAIL_ARN_HERE"

    ]

    }

    }

    },

    {

    "Sid": "Enable CloudTrail log decrypt permissions",

    "Effect": "Allow",

    "Principal": {

    "AWS": "TS_IAM_ROLE_HERE"

    },

    "Action": "kms:Decrypt",

    "Resource": "*",

    "Condition": {

    "Null": {

    "kms:EncryptionContext:aws:cloudtrail:arn": "false"

    }

    }

    },

    {

    "Sid": "Allow CloudTrail access",

    "Effect": "Allow",

    "Principal": {

    "Service": "cloudtrail.amazonaws.com"

    },

    "Action": "kms:DescribeKey",

    "Resource": "*"

    }

  6. In the “CLOUDTRAIL_ARN_HERE” line, replace the text with arn:aws:cloudtrail:*:AWS_ACCOUNT_NUMBER:trail/TRAIL_NAME.
    • AWS_ACOUNT_NUMBER: Indicates your AWS account number
    • TRAIL_NAME: Indicates your CloudTrail name
  7. In the “TS_IAM_ROLE_HERE” line, replace the text with the IAM Role ARN used to integrate your AWS account with Threat Stack.
  8. Click Finish to complete the key creation process.
  9. Navigate to the CloudTrail service. Click Trails to display the Trails page.


    TrailsPage.png

  10. Navigate to the trail for which you would like encryption enabled. Select the edit icon for the Storage location section.
  11. In the Create a new S3 bucket section, confirm the No radio button is selected.


    StorageKMSEncrypt.png

    1. In the Encrypt log files with SSE-KMS section, select the Yes radio button.
    2. In the Create a new KMS key section, select the No radio button.
    3. In the KMS key field, select the newly created key from the dropdown menu.
  12. Click Save to register your selections.
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request