Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure CloudTrail logs are encrypted at rest using AWS KMS keys #4693

Open
14 tasks
dsotirho-ucsc opened this issue Nov 5, 2022 · 1 comment
Open
14 tasks

Ensure CloudTrail logs are encrypted at rest using AWS KMS keys #4693

dsotirho-ucsc opened this issue Nov 5, 2022 · 1 comment
Labels
- [priority] Medium compliance [subject] Information and software security orange [process] Done by the Azul team securityhub [subject] Represents one or more SecurityHub findings severity:cis2 [subject] CIS Level 2 severity:medium [subject] A SecurityHub severity of MEDIUM

Comments

@dsotirho-ucsc
Copy link
Contributor

dsotirho-ucsc commented Nov 5, 2022
edited
Loading 

{
    "GeneratorIds": [
        "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.7",
        "aws-foundational-security-best-practices/v/1.0.0/CloudTrail.2"
    ]
}

https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-2.7
https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-cloudtrail-2

  • Security design review completed; the Resolution of this issue does not
    • … affect authentication; for example:
      • OAuth 2.0 with the application (API or Swagger UI)
      • Authentication of developers with Google Cloud APIs
      • Authentication of developers with AWS APIs
      • Authentication with a GitLab instance in the system
      • Password and 2FA authentication with GitHub
      • API access token authentication with GitHub
      • Authentication with
    • … affect the permissions of internal users like access to
      • Cloud resources on AWS and GCP
      • GitLab repositories, projects and groups, administration
      • an EC2 instance via SSH
      • GitHub issues, pull requests, commits, commit statuses, wikis, repositories, organizations
    • … affect the permissions of external users like access to
      • TDR snapshots
    • … affect permissions of service or bot accounts
      • Cloud resources on AWS and GCP
    • … affect audit logging in the system, like
      • adding, removing or changing a log message that represents an auditable event
      • changing the routing of log messages through the system
    • … affect monitoring of the system
    • … introduce a new software dependency like
      • Python packages on PYPI
      • Command-line utilities
      • Docker images
      • Terraform providers
    • … add an interface that exposes sensitive or confidential data at the security boundary
    • … affect the encryption of data at rest
    • … require persistence of sensitive or confidential data that might require encryption at rest
    • … require unencrypted transmission of data within the security boundary
    • … affect the network security layer; for example by
      • modifying, adding or removing firewall rules
      • modifying, adding or removing security groups
      • changing or adding a port a service, proxy or load balancer listens on
  • Documentation on any unchecked boxes is provided in comments below
@dsotirho-ucsc dsotirho-ucsc added orange [process] Done by the Azul team securityhub [subject] Represents one or more SecurityHub findings severity:medium [subject] A SecurityHub severity of MEDIUM labels Nov 5, 2022
@dsotirho-ucsc dsotirho-ucsc mentioned this issue Nov 5, 2022
Closed
@dsotirho-ucsc dsotirho-ucsc added the severity:cis2 [subject] CIS Level 2 label Nov 16, 2022
@dsotirho-ucsc dsotirho-ucsc mentioned this issue Nov 16, 2022
Closed
@hannes-ucsc hannes-ucsc added the compliance [subject] Information and software security label Feb 17, 2023
@hannes-ucsc hannes-ucsc changed the title Ensure CloudTrail logs are encrypted at rest using KMS CMKs Ensure CloudTrail logs are encrypted at rest using AWS KMS keys Feb 18, 2023
@hannes-ucsc
Copy link
Member

Similar to #4715. We'll solve that one first.

@hannes-ucsc hannes-ucsc added the - [priority] Medium label Feb 21, 2023
@dsotirho-ucsc dsotirho-ucsc modified the milestone: Compliance mitigation 23/10 Oct 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
- [priority] Medium compliance [subject] Information and software security orange [process] Done by the Azul team securityhub [subject] Represents one or more SecurityHub findings severity:cis2 [subject] CIS Level 2 severity:medium [subject] A SecurityHub severity of MEDIUM
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hannes-ucsc @dsotirho-ucsc