AWS Config Rule: CloudWatch Log Group Encrypted


Fernando Honig

Last Update hace 8 meses

Description: Checks if a log group in Amazon CloudWatch Logs is encrypted with a AWS Key Management Service (KMS) managed Customer Master Keys (CMK). The rule is NON_COMPLIANT if no AWS KMS CMK is configured on the log groups.

Trigger type: Periodic

AWS Region: All supported AWS regions except China (Beijing), China (Ningxia), Asia Pacific (Osaka) Region

How to Resolve Manually

Log group data is always encrypted in CloudWatch Logs. You can optionally use AWS Key Management Service for this encryption. If you do, the encryption is done using an AWS KMS customer master key (CMK). Encryption using AWS KMS is enabled at the log group level, by associating a CMK with a log group, either when you create the log group or after it exists.

Within the CloudWatch Dashboard, when creating a new Log Group you can see below the setting to assign a KMS key by ARN below. This is where you will associate your KMS customer managed key (CMK) to this particular log group.

AWS best practices recommends using a different CMK key for each of your encrypted log groups

However, it is not possible to use the AWS CloudWatch Dashboard to assign a KMS CMK to an existing log group at this time. You can achieve this however using the command line, but please note you will need a KEY created and ready before this step;

Use the associate-kms-key command as follows:

aws logs associate-kms-key --log-group-name my-log-group --kms-key-id "key-arn"

How to Resolve with StackZone

You can resolve with StackZone by enabling the CloudWatch Encryption Check Remediation

Just head to BaseLine Services > Cloudwatch > remediation > cloudwatch-encryption-check-remediation = true

Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here

Was this article helpful?

1 out of 1 liked this article

Still need help? Message Us