1
00:00:00,090 --> 00:00:03,310
‫So, one short lecture on the CloudWatch Logs encryption.

2
00:00:03,310 --> 00:00:06,630
‫So, you can encrypt your CloudWatch Logs with KMS keys.

3
00:00:06,630 --> 00:00:09,220
‫And the encryption happens at the log group level.

4
00:00:09,220 --> 00:00:11,800
‫So, not with log streams but the log group level.

5
00:00:11,800 --> 00:00:14,440
‫And that you can either associate a CMK

6
00:00:14,440 --> 00:00:16,120
‫with an existing log group,

7
00:00:16,120 --> 00:00:19,070
‫or you can create a new log group with a CMK.

8
00:00:19,070 --> 00:00:21,710
‫But you cannot associate a CMK with a log group

9
00:00:21,710 --> 00:00:23,220
‫using the CloudWatch console;

10
00:00:23,220 --> 00:00:26,011
‫you have to use the CloudWatch Logs API for the CLI

11
00:00:26,011 --> 00:00:28,770
‫and the SDK, so we'll be using the CLI in this lecture.

12
00:00:28,770 --> 00:00:30,530
‫And we have two comments to note.

13
00:00:30,530 --> 00:00:32,623
‫The first one is called associate KMS key.

14
00:00:33,753 --> 00:00:36,640
‫To associate a KMS key with an existing log group

15
00:00:36,640 --> 00:00:39,280
‫or create-log-group to create a log group

16
00:00:39,280 --> 00:00:40,280
‫that doesn't exist yet

17
00:00:40,280 --> 00:00:42,820
‫and directly associate it with a KMS key.

18
00:00:42,820 --> 00:00:45,530
‫So, let's go into the hands on to see how that works.

19
00:00:45,530 --> 00:00:47,220
‫So, here I am in CloudWatch Logs.

20
00:00:47,220 --> 00:00:49,087
‫And I'm going to go to my log groups

21
00:00:49,087 --> 00:00:50,920
‫and I have 23 of them right now.

22
00:00:50,920 --> 00:00:52,490
‫And, so, if we take any of those,

23
00:00:52,490 --> 00:00:55,360
‫for example, the aws/lambda/hello-world log group,

24
00:00:55,360 --> 00:00:58,100
‫we can see that there is no KMS key ID associated

25
00:00:58,100 --> 00:00:59,580
‫with that log group yet.

26
00:00:59,580 --> 00:01:02,850
‫And we can not do any of that through the UI,

27
00:01:02,850 --> 00:01:06,970
‫so the UI does not allow us to associate a KMS key ID

28
00:01:06,970 --> 00:01:08,410
‫with this log group.

29
00:01:08,410 --> 00:01:10,600
‫So, what we want to do is to take this key

30
00:01:10,600 --> 00:01:12,400
‫that we've encrypted from before, the tutorial key,

31
00:01:12,400 --> 00:01:15,410
‫and associate it with this log group.

32
00:01:15,410 --> 00:01:17,410
‫For this we have to use the CLI.

33
00:01:17,410 --> 00:01:18,790
‫So let's go ahead and play it out.

34
00:01:18,790 --> 00:01:22,140
‫So, I'm going to go into my CloudWatch Logs code directory

35
00:01:22,140 --> 00:01:24,020
‫and open this command.

36
00:01:24,020 --> 00:01:27,600
‫And, so, this first command is to associate a KMS key

37
00:01:27,600 --> 00:01:29,520
‫with an existing log group.

38
00:01:29,520 --> 00:01:31,570
‫So, there is simply, I copy this command,

39
00:01:31,570 --> 00:01:35,050
‫and I paste it here, and this takes my KMS key.

40
00:01:35,050 --> 00:01:37,640
‫I paste in the log group name as an argument,

41
00:01:37,640 --> 00:01:39,440
‫as well as my KMS key ID.

42
00:01:39,440 --> 00:01:41,830
‫And finally, I paste in the region.

43
00:01:41,830 --> 00:01:43,360
‫I press enter,

44
00:01:43,360 --> 00:01:45,230
‫and I'm getting an access denied exception saying

45
00:01:45,230 --> 00:01:48,510
‫that this associate KNM key operation did not work.

46
00:01:48,510 --> 00:01:49,730
‫Either the key does not exist,

47
00:01:49,730 --> 00:01:51,380
‫but I know it exists for sure,

48
00:01:51,380 --> 00:01:54,470
‫or it's not allowed to be used with this log group,

49
00:01:54,470 --> 00:01:57,060
‫and this is the second options that's right.

50
00:01:57,060 --> 00:01:59,220
‫So, indeed, the key has not been authorized

51
00:01:59,220 --> 00:02:00,610
‫to be used with this log group.

52
00:02:00,610 --> 00:02:03,340
‫So, we need to apply a certain key policy.

53
00:02:03,340 --> 00:02:06,370
‫So, if we go here, there is a key policy that Jason filed.

54
00:02:06,370 --> 00:02:09,810
‫And we need to apply it to my specific key.

55
00:02:09,810 --> 00:02:11,170
‫So, I'm gonna get the second part here,

56
00:02:11,170 --> 00:02:12,560
‫that's what's interesting.

57
00:02:12,560 --> 00:02:14,960
‫So, I'm gonna get the second part and the comma,

58
00:02:14,960 --> 00:02:18,610
‫and I'm gonna go into my KMS key consul,

59
00:02:18,610 --> 00:02:20,650
‫and in here I have a key policy.

60
00:02:20,650 --> 00:02:22,640
‫I'm going to switch to policy view

61
00:02:22,640 --> 00:02:25,480
‫and I'm going to edit this key policy.

62
00:02:25,480 --> 00:02:28,430
‫So, this key policy right now is the default key policy

63
00:02:28,430 --> 00:02:30,852
‫which allows any user or role within my account

64
00:02:30,852 --> 00:02:34,800
‫to use my KMS key, but doesn't allow any service.

65
00:02:34,800 --> 00:02:36,610
‫So, we need to allow the service

66
00:02:36,610 --> 00:02:39,030
‫of CloudWatch Logs to access this key.

67
00:02:39,030 --> 00:02:40,700
‫So, I'm going to paste this here,

68
00:02:40,700 --> 00:02:42,470
‫and so there's a comma that has been added

69
00:02:42,470 --> 00:02:43,600
‫in this statement.

70
00:02:43,600 --> 00:02:45,850
‫And, so, here we allow logs dot,

71
00:02:45,850 --> 00:02:48,700
‫and we need to paste in the region, so EU-west-2.

72
00:02:48,700 --> 00:02:52,870
‫So, logs.EU-west-2.amamazonaws.com is allowed

73
00:02:52,870 --> 00:02:54,760
‫to do encrypt, decrypt, re-encrypt,

74
00:02:54,760 --> 00:02:58,320
‫generate data key, and describe on this key.

75
00:02:58,320 --> 00:03:00,020
‫So, I'll save these changes.

76
00:03:00,020 --> 00:03:01,530
‫And, now I have applied a key policy

77
00:03:01,530 --> 00:03:03,700
‫which should allow more things

78
00:03:03,700 --> 00:03:05,710
‫to access including CloudWatch Log.

79
00:03:05,710 --> 00:03:07,760
‫So, we should try again our command,

80
00:03:07,760 --> 00:03:08,970
‫and, hopefully, this time it will work.

81
00:03:08,970 --> 00:03:10,703
‫So, I will run this command again,

82
00:03:12,070 --> 00:03:13,110
‫and this time it has worked.

83
00:03:13,110 --> 00:03:15,210
‫So, we get the end and it is applied.

84
00:03:15,210 --> 00:03:16,520
‫So, how do I know this?

85
00:03:16,520 --> 00:03:18,710
‫Well, we could refresh this UI

86
00:03:22,490 --> 00:03:24,560
‫and now we can see that out KNS key ID,

87
00:03:24,560 --> 00:03:27,080
‫right here, is associated with out CloudWatch Logs,

88
00:03:27,080 --> 00:03:28,480
‫and so that mean that this log group

89
00:03:28,480 --> 00:03:32,500
‫is going to be fully encrypted with this KMS key ID.

90
00:03:32,500 --> 00:03:34,380
‫And I could try the second command,

91
00:03:34,380 --> 00:03:36,570
‫which is to create a new log group

92
00:03:36,570 --> 00:03:39,420
‫with this example I called, example encrypted,

93
00:03:39,420 --> 00:03:41,920
‫directly passing in the KMS key ID.

94
00:03:41,920 --> 00:03:44,200
‫So, I paste this in and press enter,

95
00:03:44,200 --> 00:03:45,500
‫and it says end.

96
00:03:45,500 --> 00:03:49,020
‫So, if I go back to my log groups and then refresh,

97
00:03:49,020 --> 00:03:50,940
‫I can find at the very bottom

98
00:03:50,940 --> 00:03:52,950
‫my example encrypted log group.

99
00:03:52,950 --> 00:03:56,670
‫And this one is also associated with out KMS key ID.

100
00:03:56,670 --> 00:04:00,680
‫So, this is the two ways to create an associate KMS key ID

101
00:04:00,680 --> 00:04:02,260
‫with the log groups in CloudWatch Log.

102
00:04:02,260 --> 00:04:03,980
‫So, it cannot be done through the consul.

103
00:04:03,980 --> 00:04:05,400
‫And I really like the fact that we had

104
00:04:05,400 --> 00:04:09,520
‫to modify a key policy to allow CloudWatch Logs

105
00:04:09,520 --> 00:04:10,630
‫to access out KMS key,

106
00:04:10,630 --> 00:04:13,530
‫which I think is a tremendous example in security.

107
00:04:13,530 --> 00:04:14,580
‫So, that's it for this lecture.

108
00:04:14,580 --> 00:04:15,413
‫I hope you liked it,

109
00:04:15,413 --> 00:04:17,320
‫and I will see you in the next lecture.