Default KMS key policy created in CloudTrail console - Amazon CloudTrail
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Default KMS key policy created in CloudTrail console

If you create an Amazon KMS key in the CloudTrail console, the following policies are automatically created for you. The policy allows these permissions:

  • Allows Amazon Web Services account (root) permissions for the KMS key.

  • Allows CloudTrail to encrypt log files under the KMS key and describe the KMS key.

  • Allows all users in the specified accounts to decrypt log files.

  • Allows all users in the specified account to create a KMS alias for the KMS key.

  • Enables cross-account log decryption for the account ID of the account that created the trail.

Default KMS key policy for trails

The following is the default policy created for a Amazon KMS key that you use with a trail.

Note

The policy includes a statement to allow cross accounts to decrypt log files with the KMS key.