By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How do I use AWS KMS to encrypt log data in CloudWatch Logs?

3 minute read
1

I want to use AWS Key Management Service (AWS KMS) to encrypt log data in Amazon CloudWatch Logs.

Short description

By default, CloudWatch Logs uses server-side encryption keys to encrypt log group data. To control log data encryption or adhere to your security policy, you can also use customer managed keys in AWS KMS.

Note: When you use AWS KMS encryption, you might incur increased costs.

Resolution

To use an existing customer managed key for log data encryption in a log group, complete the following steps.

Note: If you don't have a customer managed key, then create a key before you begin. CloudWatch Logs supports only symmetric AWS KMS keys.

Grant CloudWatch Logs the necessary permissions to access the AWS KMS key

To grant CloudWatch Logs permissions to access the AWS KMS key, change the key policy so that it includes the following statement. To allow other log groups to use the key, replace the log group ARN in the Condition section with arn:aws:logs:<region>:<account-id>:log-group:*.

Example statement:

Note: Replace example-region with your AWS Region, example-account-id with the your AWS account ID, and example-log-group your log group name.

{
    "Effect": "Allow",
    "Principal": {
        "Service": "logs.<region>.amazonaws.com"
    },
    "Action": [
        "kms:Encrypt*",
        "kms:Decrypt*",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:Describe*"
    ],
    "Resource": "*",
    "Condition": {
        "ArnEquals": {
            "kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:example-region:example-account-id:log-group:example-log-group"
        }
    }
}

Associate an AWS KMS key with a log group

You can associate an AWS KMS key either when you create it or after you create it. It can take up to 5 minutes for your key to associate at encryption.

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Associate an AWS KMS key during creation

To associate an AWS KMS key when you create the key, complete the following steps:

  1. Open the CloudWatch console.
  2. In the navigation pane, choose Log groups.
  3. Choose Create log group.
  4. Enter a name and the AWS KMS key ARN for the log group, and then choose Create. Or, run the following create-log-group command:
    Note: Replace example-log-group with the log group name and example-key-arn with the AWS KMS key ID. 
    aws logs create-log-group --log-group-name example-log-group --kms-key-id example-key-arn

Associate an AWS KMS key after creation

Note: You can't use the CloudWatch console to associate an AWS KMS key with an existing log group.

To associate a AWS KMS key after you created it, run the following associate-kms-key command:

Note: Replace example-log-group with the log group name and example-key-arn with the AWS KMS key ID.

aws logs associate-kms-key --log-group-name example-log-group --kms-key-id example-key-arn

You can disassociate an AWS KMS key from a log group. After you disassociate or change an AWS KMS key, CloudWatch Logs can decrypt and return log data. However, if you turn off an AWS KMS key, then CloudWatch Logs can't read the logs that you encrypted with the key.

Related information

Encrypt log data in CloudWatch Logs using AWS Key Management Service

Data protection in Amazon CloudWatch Logs

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
AWS Key Management ServiceAmazon CloudWatchAmazon CloudWatch Logs
Language
English
AWS OFFICIAL
AWS OFFICIALUpdated 2 months ago
No comments

Relevant content