AWS Config Rule: CloudWatch Log Group Encrypted
CLOUDWATCH_LOG_GROUP_ENCRYPTED
Fernando Honig
Last Update 10 months ago
Description: Checks if a log group in Amazon CloudWatch Logs is encrypted with a AWS Key Management Service (KMS) managed Customer Master Keys (CMK). The rule is NON_COMPLIANT if no AWS KMS CMK is configured on the log groups.
Trigger type: Periodic
AWS Region: All supported AWS regions except China (Beijing), China (Ningxia), Asia Pacific (Osaka) Region
How to Resolve Manually
Log group data is always encrypted in CloudWatch Logs. You can optionally use AWS Key Management Service for this encryption. If you do, the encryption is done using an AWS KMS customer master key (CMK). Encryption using AWS KMS is enabled at the log group level, by associating a CMK with a log group, either when you create the log group or after it exists.
Within the CloudWatch Dashboard, when creating a new Log Group you can see below the setting to assign a KMS key by ARN below. This is where you will associate your KMS customer managed key (CMK) to this particular log group.
AWS best practices recommends using a different CMK key for each of your encrypted log groups
However, it is not possible to use the AWS CloudWatch Dashboard to assign a KMS CMK to an existing log group at this time. You can achieve this however using the command line, but please note you will need a KEY created and ready before this step;
Use the associate-kms-key command as follows:
aws logs associate-kms-key --log-group-name my-log-group --kms-key-id "key-arn"
How to Resolve with StackZone
You can resolve with StackZone by enabling the CloudWatch Encryption Check Remediation
Just head to BaseLine Services > Cloudwatch > remediation > cloudwatch-encryption-check-remediation = true
Want to know more about StackZone and how to make your cloud management simple and secure?
Check our how it works section with easy to follow videos or just create your own StackZone Account here
