AWS CloudTrail is a web service that records AWS API calls for an account, and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data. It uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server-side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs.
We recommend that CloudTrail logs are configured to use SSE-KMS, providing additional confidentiality controls on log data. A given user must have S3 read permission on the corresponding log bucket and must be granted decrypt permission by the CMK policy.
To configure CloudTrail to use SSE-KMS using the Management Console, follow these steps:
- Log in to the AWS Management Console at [https://console.aws.amazon.com/].
- Open the Amazon CloudTrail console.
- In the left navigation pane, click Trails.
- Select a Trail.
- Navigate to the S3 section, click the edit button (pencil icon).
- Click Advanced.
- From the KMS key Id drop-down menu, select an existing CMK.
Ensure the CMK is located in the same region as the S3 bucket.
- For CloudTrail as a service to encrypt and decrypt log files using the CMK provided, apply a KMS Key policy on the selected CMK.
- Click Save.
- You will see a notification message stating that you need to have decrypt permissions on the specified KMS key to decrypt log files. Click Yes.
To update the CloudTrail, use the following command:
aws cloudtrail update-trail --name <trail_name> --kms-id <cloudtrail_kms_key> aws kms put-key-policy --key-id <cloudtrail_kms_key> --policy <cloudtrail_kms_key_policy>
- Resource: AWS::CloudTrail::Trail
- Argument: Properties.KMSKeyId
Resources: myTrail: Type: AWS::CloudTrail::Trail Properties: ... + KMSKeyId: alias/MyAliasName
Updated about 2 months ago