Free AI web copilot to create summaries, insights and extended knowledge, download it at here

3350

Abstract

 <div>
            <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/1*VZWJ7lMueJvECRU21gHqwQ.png)"></div>
          </div>
        </div>
      </a>
    </div><p id="18d4">What if I just use that key to encrypt my CloudTrail log? Well, if I decide to delegate access to others to review these logs then I’d need to give them access to that key as well and that’s a bit more access than they need. I’m going to go ahead and create a separate key for any organization logs generated in the root account.</p><h2 id="bdea">Should I create the key in the root account?</h2><p id="cbdb">My other question is — do I want to assign a key generated in the root account or a special KMS administrator keys account? Well I don’t have that account set up yet so I’ll put the key in the root account. But then our SCPs won’t apply to this trail.</p><p id="4d47">Can I change the key later? Well, even if I could change that key later, then we would need to have the old in order to decrypt older events. That’s a bit complicated.</p><p id="096e">As you can see there are always a lot of dependency issues to consider when creating cloud resources. Your initial choices may affect you down the road. I’m going to start with a KMS key in the root account, restricted to CloudTrail using the policy conditions described in my list of steps to Implement an AWS Organizations trail. I’ll likely move management of CloudTrail logs later to a separate logs account.</p><h2 id="afb9">Create the key</h2><p id="bf50">Now as you may recall, I created the last key in the Organizations directory because each directory represents some code maintained in a particular repository potentially in the future. This code will be maintained by whomever is allowed to control the root organization setup.</p><p id="c925">The code looked like this and uses our generic KMS creation function created much earlier in this series.</p><figure id="4caa"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*TqVgkFw7BWqtOeUGrK4plA.png"><figcaption></figcaption></figure><p id="528f">We can essentially use the same code to add another key for CloudFormation.</p><figure id="91ca"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*slVpbCi03k7kmuNJBgxaMw.png"><figcaption></figcaption></figure><p id="c686">I had to make one other change in the Key.yaml file used to deploy KMS keys.</p><figure id="221d"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*0UBdekKEuZ6GiB_gF7CzxA.png"><figcaption></figcaption></figure><p id="fc87">Since we haven’t yet set up our KMS role, we need to also use the KeyIsOrgRoot condition to make the OrgRoot user the administrator for this key.</p><figure id="866d"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*60l31oSo9blMVT3GviAZTQ.png"><figcaption></figcaption></figure><p id="02fe">Then running the deploy script was successful.</p><figure id="9027"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*t_DFoe8Xs3iX7KugrPqhLA.png"><figcaption></figcaption></figure><figure id="10b1"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*GFNdLb8PCCZyIe9uVYcGXA.png"><figcaption></figcaption></figure><p id="7294">We’ll need to add a few other things in a later post as explained here:</p><div id="cb6c" class="l

Options

ink-block"> <a href="https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail.html"> <div> <div> <h2>Configure AWS KMS key policies for CloudTrail</h2> <div><h3>undefined</h3></div> <div><p>undefined</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/)"></div> </div> </div> </a> </div><p id="3ad6">Notice that I could not use the condition above to restrict this key to our organization trail yet since we haven’t yet created it. That means, like some other KMS permissions we added before, we’ll have to update it after we create the resource to add the condition. We also need to grant CloudTrail permission to use the key.</p><p id="ee49">Update: I want to take a look at policies required to grant access to CloudTrail next. Then we’ll look at S3 buckets! :)</p><div id="ff14" class="link-block"> <a href="https://readmedium.com/granting-aws-cloudtrail-and-users-permission-to-use-a-kms-key-85affe6c5504"> <div> <div> <h2>Granting AWS CloudTrail and Users Permission to use a KMS Key</h2> <div><h3>ACM.190 Complexities and Caveats when using a customer managed encryption key with CloudTrail logs</h3></div> <div><p>medium.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/1*bbjNwKpzfl3UKO6dBGvLzw.png)"></div> </div> </div> </a> </div><p id="0054">Follow for updates.</p><p id="4a3a">Teri Radichel | <i>© <a href="https://2ndsightlab.com/?source=post_page---------------------------">2nd Sight Lab</a> 2023</i></p><div id="8b5f"><pre><span class="hljs-section">About Teri Radichel:

⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab</pre></div><div id="caae"><pre><span class="hljs-section">Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</span>
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation</pre></div><div id="5a42"><pre>Follow <span class="hljs-keyword">for</span> more stories like <span class="hljs-keyword">this</span>:

❤️ Sign Up my Medium Email List ❤️ Twitter: <span class="hljs-meta">@teriradichel</span> ❤️ LinkedIn: https:<span class="hljs-comment">//www.linkedin.com/in/teriradichel</span> ❤️ Mastodon: <span class="hljs-meta">@teriradichel</span><span class="hljs-meta">@infosec</span>.exchange ❤️ Facebook: 2nd Sight Lab ❤️ YouTube: @2ndsightlab</pre></div><figure id="faf5"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/0*H9Ew1KCl-29nZiPR.jpeg"><figcaption></figcaption></figure></article></body>

Create A KMS Key for AWS Organizations Trail

ACM.189 Next step to set up an AWS Organizations CloudTrail

Part of my series on Automating Cybersecurity Metrics. The Code.

Free Content on Jobs in Cybersecurity | Sign up for the Email List

In the last post we made sure our AWS Organization has all features enabled which is a prerequisite for an AWS Organizations CloudTrail.

AWS Organizations: Enable All Features

ACM.188 Step one to set up AWS Organizations CloudTrail.

medium.com

Next steps to create an AWS Organizations Trail

In this post we’ll take the next step. When we outlined the steps I explained that you need to understand if partitions apply. They do not in my case.

You might want to use a delegated administrator. I’m not doing that now but might set it up later. My user has the necessary permissions.

I decided I would use the organization prefix I used to deploy other organization resources to create the trail.

If you want to review all the steps they are all listed here.

Steps to Enable CloudTrail for an AWS Organization

ACM.187 View all your CloudTrail logs for an organization in one place

medium.com

The next step is to create a KMS key to encrypt our trail.

Should I reuse my existing key?

Now I’ve already created a secret for OrgRoot secrets when I set up my IdP in this post:

Okta SAML Integration with AWS IAM Step 2: AWS IAM Identity Provider

ACM.173 Using CloudFormation to deploy an IdP for Okta in your AWS Organizations management account

medium.com

What if I just use that key to encrypt my CloudTrail log? Well, if I decide to delegate access to others to review these logs then I’d need to give them access to that key as well and that’s a bit more access than they need. I’m going to go ahead and create a separate key for any organization logs generated in the root account.

Should I create the key in the root account?

My other question is — do I want to assign a key generated in the root account or a special KMS administrator keys account? Well I don’t have that account set up yet so I’ll put the key in the root account. But then our SCPs won’t apply to this trail.

Can I change the key later? Well, even if I could change that key later, then we would need to have the old in order to decrypt older events. That’s a bit complicated.

As you can see there are always a lot of dependency issues to consider when creating cloud resources. Your initial choices may affect you down the road. I’m going to start with a KMS key in the root account, restricted to CloudTrail using the policy conditions described in my list of steps to Implement an AWS Organizations trail. I’ll likely move management of CloudTrail logs later to a separate logs account.

Create the key

Now as you may recall, I created the last key in the Organizations directory because each directory represents some code maintained in a particular repository potentially in the future. This code will be maintained by whomever is allowed to control the root organization setup.

The code looked like this and uses our generic KMS creation function created much earlier in this series.

We can essentially use the same code to add another key for CloudFormation.

I had to make one other change in the Key.yaml file used to deploy KMS keys.

Since we haven’t yet set up our KMS role, we need to also use the KeyIsOrgRoot condition to make the OrgRoot user the administrator for this key.

Then running the deploy script was successful.

We’ll need to add a few other things in a later post as explained here:

Configure AWS KMS key policies for CloudTrail

undefined

Notice that I could not use the condition above to restrict this key to our organization trail yet since we haven’t yet created it. That means, like some other KMS permissions we added before, we’ll have to update it after we create the resource to add the condition. We also need to grant CloudTrail permission to use the key.

Update: I want to take a look at policies required to grant access to CloudTrail next. Then we’ll look at S3 buckets! :)

Granting AWS CloudTrail and Users Permission to use a KMS Key

ACM.190 Complexities and Caveats when using a customer managed encryption key with CloudTrail logs

medium.com

Follow for updates.

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab

Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation

Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab