AWSConfigRemediation-EnableCloudTrailEncryptionWithKMS - Amazon Systems Manager Automation runbook reference
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).



The AWSConfigRemediation-EnableCloudTrailEncryptionWithKMS runbook encrypts an Amazon CloudTrail (CloudTrail) trail using the Amazon Key Management Service (Amazon KMS) customer managed key you specify. This runbook should only be used as a baseline to ensure that your CloudTrail trails are encrypted according to minimum recommended security best practices. We recommend encrypting multiple trails with different KMS keys. CloudTrail digest files are not encrypted. If you have previously set the EnableLogFileValidation parameter to true for the trail, see the "Use server-side encryption with Amazon KMS managed keys" section of the CloudTrail Preventative Security Best Practices topic in the Amazon CloudTrail User Guide for more information.

Run this Automation (console)

Document type





Linux, macOS, Windows


  • AutomationAssumeRole

    Type: String

    Description: (Required) The Amazon Resource Name (ARN) of the Amazon Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.

  • KMSKeyId

    Type: String

    Description: (Required) The ARN, key ID, or the key alias of the of the customer managed key you want to use to encrypt the trail you specify in the TrailName parameter.

  • TrailName

    Type: String

    Description: (Required) The ARN or name of the trail you want to update to be encrypted.

Required IAM permissions

The AutomationAssumeRole parameter requires the following actions to use the runbook successfully.

  • ssm:StartAutomationExecution

  • ssm:GetAutomationExecution

  • cloudtrail:GetTrail

  • cloudtrail:UpdateTrail

Document Steps

  • aws:executeAwsApi - Enables encryption on the trail you specify in the TrailName parameter.

  • aws:executeAwsApi - Gathers the ARN for the customer managed key you specify in the KMSKeyId parameter.

  • aws:assertAwsResourceProperty - Verifies that encryption has been enabled on the CloudTrail trail.