

# Updating a resource to use your KMS key with the console
<a name="create-kms-key-policy-for-cloudtrail-update-trail"></a>

On the CloudTrail console, update a trail or an event data store to use an KMS key. Be aware that using your own KMS key incurs Amazon KMS costs for encryption and decryption. For more information, see [Amazon Key Management Service Pricing](https://www.amazonaws.cn/kms/pricing/).

**Topics**
+ [Update a trail to use a KMS key](#kms-key-policy-update-trail)
+ [Update an event data store to use a KMS key](#kms-key-policy-update-eds)

## Update a trail to use a KMS key
<a name="kms-key-policy-update-trail"></a>

To update a trail to use the Amazon KMS key that you modified for CloudTrail, complete the following steps in the CloudTrail console.

**Note**  
If you are using an existing S3 bucket with an [S3 Bucket Key](https://docs.amazonaws.cn/AmazonS3/latest/userguide/bucket-key.html), CloudTrail must be allowed permission in the key policy to use the Amazon KMS actions `GenerateDataKey` and `DescribeKey`. If `cloudtrail.amazonaws.com` is not granted those permissions in the key policy, you cannot create or update a trail.

To update a trail using the Amazon CLI, see [Enabling and disabling encryption for CloudTrail log files, digest files and event data stores with the Amazon CLI](cloudtrail-log-file-encryption-cli.md).

**To update a trail to use your KMS key**

1. Sign in to the Amazon Web Services Management Console and open the CloudTrail console at [https://console.amazonaws.cn/cloudtrail/](https://console.amazonaws.cn/cloudtrail/).

1. Choose **Trails** and then choose a trail name.

1. In **General details**, choose **Edit**.

1. For **Log file SSE-KMS encryption**, choose **Enabled** if you want to encrypt your log files and digest files using SSE-KMS encryption instead of SSE-S3 encryption. The default is **Enabled**. If you don't enable SSE-KMS encryption, your log files and digest files are encrypted using SSE-S3 encryption. For more information about SSE-KMS encryption, see [Using server-side encryption with Amazon Key Management Service (SSE-KMS)](https://docs.amazonaws.cn/AmazonS3/latest/userguide/UsingKMSEncryption.html). For more information about SSE-S3 encryption, see [Using Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3)](https://docs.amazonaws.cn/AmazonS3/latest/userguide/UsingServerSideEncryption.html).

   Choose **Existing** to update your trail with your Amazon KMS key. Choose a KMS key that is in the same Region as the S3 bucket that receives your log files. To verify the Region for an S3 bucket, view its properties in the S3 console.
**Note**  
You can also type the ARN of a key from another account. For more information, see [Updating a resource to use your KMS key with the console](#create-kms-key-policy-for-cloudtrail-update-trail). The key policy must allow CloudTrail to use the key to encrypt your log files and digest files, and allow the users you specify to read log files or digest files in unencrypted form. For information about manually editing the key policy, see [Configure Amazon KMS key policies for CloudTrail](create-kms-key-policy-for-cloudtrail.md).

   In **Amazon KMS Alias**, specify the alias for which you changed the policy for use with CloudTrail, in the format `alias/`*MyAliasName*. For more information, see [Updating a resource to use your KMS key with the console](#create-kms-key-policy-for-cloudtrail-update-trail).

   You can type the alias name, ARN, or the globally unique key ID. If the KMS key belongs to another account, verify that the key policy has permissions that enable you to use it. The value can be one of the following formats:
   + **Alias Name**: `alias/MyAliasName`
   + **Alias ARN**: `arn:aws:kms:region:123456789012:alias/MyAliasName` 
   + **Key ARN**: `arn:aws:kms:region:123456789012:key/12345678-1234-1234-1234-123456789012` 
   + **Globally unique key ID**: `12345678-1234-1234-1234-123456789012` 

1. Choose **Update trail**.
**Note**  
If the KMS key that you chose is disabled or is pending deletion, you cannot save the trail with that KMS key. You can enable the KMS key or choose another one. For more information, see [Key state: Effect on your KMS key](https://docs.amazonaws.cn/kms/latest/developerguide/key-state.html) in the *Amazon Key Management Service Developer Guide*.

## Update an event data store to use a KMS key
<a name="kms-key-policy-update-eds"></a>

To update an event data store to use the Amazon KMS key that you modified for CloudTrail, complete the following steps in the CloudTrail console.

To update an event data store by using the Amazon CLI, see [Update an event data store with the Amazon CLI](lake-cli-update-eds.md).

**Important**  
Disabling or deleting the KMS key, or removing CloudTrail permissions on the key, prevents CloudTrail from ingesting events into the event data store, and prevents users from querying data in the event data store that was encrypted with the key. After you associate an event data store with a KMS key, the KMS key cannot be removed or changed. Before you disable or delete a KMS key that you are using with an event data store, delete or back up your event data store.

**To update an event data store to use your KMS key**

1. Sign in to the Amazon Web Services Management Console and open the CloudTrail console at [https://console.amazonaws.cn/cloudtrail/](https://console.amazonaws.cn/cloudtrail/).

1. In the navigation pane, choose **Event data stores** in **Lake**. Choose an event data store to update.

1. In **General details**, choose **Edit**.

1. For **Encryption**, if it is not already enabled, choose **Use my own Amazon KMS key** to encrypt your event data store with your own KMS key.

   Choose **Existing** to update your event data store with your KMS key. Choose a KMS key that is in the same Region as the event data store. A key from another account is not supported.

   In **Enter Amazon KMS Alias**, specify the alias for which you changed the policy for use with CloudTrail, in the format `alias/`*MyAliasName*. For more information, see [Updating a resource to use your KMS key with the console](#create-kms-key-policy-for-cloudtrail-update-trail).

   You can choose an alias, or use the globally unique key ID. The value can be one of the following formats:
   + **Alias Name**: `alias/MyAliasName`
   + **Alias ARN**: `arn:aws:kms:region:123456789012:alias/MyAliasName` 
   + **Key ARN**: `arn:aws:kms:region:123456789012:key/12345678-1234-1234-1234-123456789012` 
   + **Globally unique key ID**: `12345678-1234-1234-1234-123456789012` 

1. Choose **Save changes**.
**Note**  
If the KMS key that you chose is disabled or is pending deletion, you cannot save the event data store configuration with that KMS key. You can enable the KMS key, or choose a different key. For more information, see [Key state: Effect on your KMS key](https://docs.amazonaws.cn/kms/latest/developerguide/key-state.html) in the *Amazon Key Management Service Developer Guide*.