Skip to main content

Remediation

Perform the following to configure CloudTrail to use SSE-KMS:

From Console​

  1. Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail.
  2. In the left navigation pane, choose Trails.
  3. Click on a Trail.
  4. Under the S3 section click on the edit button (pencil icon).
  5. Click Advanced.
  6. Select an existing CMK from the KMS key Id drop-down menu.
  • Note: Ensure the CMK is located in the same region as the S3 bucket.
  • Note: You will need to apply a KMS Key policy on the selected CMK in order for CloudTrail as a service to encrypt and decrypt log files using the CMK provided. Steps are provided here for editing the selected CMK Key policy.
  1. Click Save.
  2. You will see a notification message stating that you need to have decrypt permissions on the specified KMS key to decrypt log files.
  3. Click Yes.

From Command Line​

Run the following command to specify a KMS key ID to use with a trail:

aws cloudtrail update-trail --name <trail-name> --kms-id <cloudtrail-kmskey>

Run the following command to attach a key policy to a specified KMS key:

aws kms put-key-policy --key-id <cloudtrail-kms-key> --policy <cloudtrailkms-key-policy>