Encryption of WAF logs and DNS query logs


We are unable to get WAF logs, DNS query logs for a high security project and cannot determine if they should be stored in encrypted S3. We are thinking of storing them in encrypted S3 if both the source and the action taken are known. We are also thinking of storing in encrypted S3 when information that identifies individuals is carried. In this case, is it necessary to encrypt the WAF logs and DNS query logs?

1 Answer

The need to encrypt logs should be determined by your organization's risk appetite, compliance requirement, and threat model. But S3 does support encryption through AWS KMS (SSE-KMS) where you create a KMS key and then configure the bucket to use SSE-KMS to use your KMS key for the encryption. After you set up the bucket, you can pipe the log from WAF (through Kinesis Firehose or CW Log) to this bucket for storage. Only user with access to your KMS key will be then able to decrypt and access the log in your S3 bucket.

I recommend you also enable S3 Bucket Key to reduce your KMS cost as well.

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions