Updating a resource to use your KMS key - Amazon CloudTrail
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Updating a resource to use your KMS key

In the Amazon CloudTrail console, update a trail or an event data store to use an Amazon Key Management Service key. Be aware that using your own KMS key incurs Amazon KMS costs for encryption and decryption. For more information, see Amazon Key Management Service Pricing.

Update a trail to use a KMS key

To update a trail to use the Amazon KMS key that you modified for CloudTrail, complete the following steps in the CloudTrail console.

Note

Updating a trail with the following procedure encrypts the log files but not the digest files with SSE-KMS. Digest files are encrypted with Amazon S3-managed encryption keys (SSE-S3).

If you are using an existing S3 bucket with an S3 Bucket Key, CloudTrail must be allowed permission in the key policy to use the Amazon KMS actions GenerateDataKey and DescribeKey. If cloudtrail.amazonaws.com is not granted those permissions in the key policy, you cannot create or update a trail.

To update a trail using the Amazon CLI, see Enabling and disabling CloudTrail log file encryption with the Amazon CLI.

To update a trail to use your KMS key
  1. Sign in to the Amazon Web Services Management Console and open the CloudTrail console at https://console.amazonaws.cn/cloudtrail/.

  2. Choose Trails and then choose a trail name.

  3. In General details, choose Edit.

  4. For Log file SSE-KMS encryption, choose Enabled if you want to encrypt your log files using SSE-KMS encryption instead of SSE-S3 encryption. The default is Enabled. If you don't enable SSE-KMS encryption, your logs are encrypted using SSE-S3 encryption. For more information about SSE-KMS encryption, see Using server-side encryption with Amazon Key Management Service (SSE-KMS). For more information about SSE-S3 encryption, see Using Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3).

    Choose Existing to update your trail with your Amazon KMS key. Choose a KMS key that is in the same region as the S3 bucket that receives your log files. To verify the region for an S3 bucket, view its properties in the S3 console.

    Note

    You can also type the ARN of a key from another account. For more information, see Updating a resource to use your KMS key. The key policy must allow CloudTrail to use the key to encrypt your log files, and allow the users you specify to read log files in unencrypted form. For information about manually editing the key policy, see Configure Amazon KMS key policies for CloudTrail.

    In Amazon KMS Alias, specify the alias for which you changed the policy for use with CloudTrail, in the format alias/MyAliasName. For more information, see Updating a resource to use your KMS key.

    You can type the alias name, ARN, or the globally unique key ID. If the KMS key belongs to another account, verify that the key policy has permissions that enable you to use it. The value can be one of the following formats:

    • Alias Name: alias/MyAliasName

    • Alias ARN: arn:aws:kms:region:123456789012:alias/MyAliasName

    • Key ARN: arn:aws:kms:region:123456789012:key/12345678-1234-1234-1234-123456789012

    • Globally unique key ID: 12345678-1234-1234-1234-123456789012

  5. Choose Update trail.

    Note

    If the KMS key that you chose is disabled or is pending deletion, you cannot save the trail with that KMS key. You can enable the KMS key or choose another one. For more information, see Key state: Effect on your KMS key in the Amazon Key Management Service Developer Guide.

Update an event data store to use a KMS key

To update an event data store to use the Amazon KMS key that you modified for CloudTrail, complete the following steps in the CloudTrail console.

To update an event data store by using the Amazon CLI, see Update an event data store.

Important

Disabling or deleting the KMS key, or removing CloudTrail permissions on the key, prevents CloudTrail from ingesting events into the event data store, and prevents users from querying data in the event data store that was encrypted with the key. After you associate an event data store with a KMS key, the KMS key cannot be removed or changed. Before you disable or delete a KMS key that you are using with an event data store, delete or back up your event data store.

To update an event data store to use your KMS key
  1. Sign in to the Amazon Web Services Management Console and open the CloudTrail console at https://console.amazonaws.cn/cloudtrail/.

  2. In the navigation pane, choose Event data stores in Lake. Choose an event data store to update.

  3. In General details, choose Edit.

  4. For Encryption, if it is not already enabled, choose Use my own Amazon KMS key to encrypt your log files with your own KMS key.

    Choose Existing to update your event data store with your KMS key. Choose a KMS key that is in the same region as the event data store. A key from another account is not supported.

    In Enter Amazon KMS Alias, specify the alias for which you changed the policy for use with CloudTrail, in the format alias/MyAliasName. For more information, see Updating a resource to use your KMS key.

    You can choose an alias, or use the globally unique key ID. The value can be one of the following formats:

    • Alias Name: alias/MyAliasName

    • Alias ARN: arn:aws:kms:region:123456789012:alias/MyAliasName

    • Key ARN: arn:aws:kms:region:123456789012:key/12345678-1234-1234-1234-123456789012

    • Globally unique key ID: 12345678-1234-1234-1234-123456789012

  5. Choose Save changes.

    Note

    If the KMS key that you chose is disabled or is pending deletion, you cannot save the event data store configuration with that KMS key. You can enable the KMS key, or choose a different key. For more information, see Key state: Effect on your KMS key in the Amazon Key Management Service Developer Guide.