> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# CloudWatch Log Groups Should Be Encrypted With CMK

### More Info:

Cloudwatch loggroups should be encrypted

### Risk Level

High

### Address

Security

### Compliance Standards

HIPAA,PCIDSS,GDPR,CISAWS,CBP,NIST,SOC2,AWSWAF,SEBI,RBI\_UCB

### Triage and Remediation

<Tabs>
  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        Enabling encryption from console has some limitations, AWS does not allow KMS Key association with Log Groups from Console.
        [Reference Link](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html#encryption-limits)
      </Accordion>

      <Accordion title="Using CLI">
        1. **Create an AWS KMS Key:**
           ```bash theme={null}
           aws kms create-key
           ```

        2. **Set Permissions on the KMS Key:**
           * Retrieve the default policy for the key:
             ```bash theme={null}
             aws kms get-key-policy --key-id <key-id> --policy-name default --output text > ./policy.json
             ```
           * Edit `policy.json` to include the necessary permissions as described in the documentation.
           * Apply the updated policy to the key:
             ```bash theme={null}
             aws kms put-key-policy --key-id <key-id> --policy-name default --policy file://policy.json
             ```

        3. **Associate the KMS Key with a Log Group:**
           * To associate the key during log group creation:
             ```bash theme={null}
             aws logs create-log-group --log-group-name <log-group-name> --kms-key-id <key-arn>
             ```
           * To associate the key with an existing log group:
             ```bash theme={null}
             aws logs associate-kms-key --log-group-name <log-group-name> --kms-key-id <key-arn>
             ```

        4. **Disassociate Key from a Log Group (if needed):**
           ```bash theme={null}
           aws logs disassociate-kms-key --log-group-name <log-group-name>
           ```
      </Accordion>

      <Accordion title="Using Python">
        You can use the `boto3` library in Python to achieve the same tasks programmatically.

        1. **Create an AWS KMS Key:**
           ```python theme={null}
           import boto3

           kms = boto3.client('kms')
           response = kms.create_key()
           ```

        2. **Set Permissions on the KMS Key:**
           * Retrieve, edit, and apply the policy similar to the AWS CLI method.

        3. **Associate the KMS Key with a Log Group:**
           ```python theme={null}
           import boto3

           logs = boto3.client('logs')
           logs.create_log_group(logGroupName='<log-group-name>', kmsKeyId='<key-arn>')
           ```

        4. **Disassociate Key from a Log Group (if needed):**
           ```python theme={null}
           import boto3

           logs = boto3.client('logs')
           logs.disassociate_kms_key(logGroupName='<log-group-name>')
           ```

        Ensure you replace placeholders such as `<key-id>`, `<key-arn>`, and `<log-group-name>` with actual values in the commands or code snippets. Also, review and adjust the permissions and conditions according to your specific requirements.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>
