AWS Security ChangesHomeSearch

AWS awscloudtrail documentation change

Service: awscloudtrail · 2025-05-28 · Documentation low

File: awscloudtrail/latest/userguide/cloudtrail-create-a-trail-using-the-console-first-time.md

Summary

Expanded SSE-KMS encryption coverage to include digest files alongside log files in console setup documentation

Security assessment

The change clarifies that both log files and digest files are encrypted with SSE-KMS/SSE-S3, enhancing documentation about encryption scope. While encryption is a security feature, there is no evidence this addresses a specific vulnerability.

Diff

diff --git a/awscloudtrail/latest/userguide/cloudtrail-create-a-trail-using-the-console-first-time.md b/awscloudtrail/latest/userguide/cloudtrail-create-a-trail-using-the-console-first-time.md
index 07aca6e2c..bcae52950 100644
--- a//awscloudtrail/latest/userguide/cloudtrail-create-a-trail-using-the-console-first-time.md
+++ b//awscloudtrail/latest/userguide/cloudtrail-create-a-trail-using-the-console-first-time.md
@@ -46 +46 @@ To make it easier to find your logs, create a new folder (also known as a _prefi
-  6. For **Log file SSE-KMS encryption** , choose **Enabled** if you want to encrypt your log files using SSE-KMS encryption instead of SSE-S3 encryption. The default is **Enabled**. If you don't enable SSE-KMS encryption, your logs are encrypted using SSE-S3 encryption. For more information about SSE-KMS encryption, see [Using server-side encryption with AWS Key Management Service (SSE-KMS)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html). For more information about SSE-S3 encryption, see [Using Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html).
+  6. For **Log file SSE-KMS encryption** , choose **Enabled** if you want to encrypt your log files and digest files using SSE-KMS encryption instead of SSE-S3 encryption. The default is **Enabled**. If you don't enable SSE-KMS encryption, your log files and digest files are encrypted using SSE-S3 encryption. For more information about SSE-KMS encryption, see [Using server-side encryption with AWS Key Management Service (SSE-KMS)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html). For more information about SSE-S3 encryption, see [Using Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html).
@@ -52 +52 @@ If you enable SSE-KMS encryption, choose a **New** or **Existing** AWS KMS key.
-You can also type the ARN of a key from another account. For more information, see [Updating a resource to use your KMS key with the console](./create-kms-key-policy-for-cloudtrail-update-trail.html). The key policy must allow CloudTrail to use the key to encrypt your log files, and allow the users you specify to read log files in unencrypted form. For information about manually editing the key policy, see [Configure AWS KMS key policies for CloudTrail](./create-kms-key-policy-for-cloudtrail.html).
+You can also type the ARN of a key from another account. For more information, see [Updating a resource to use your KMS key with the console](./create-kms-key-policy-for-cloudtrail-update-trail.html). The key policy must allow CloudTrail to use the key to encrypt your log files and digest files, and allow the users you specify to read log files or digest files in unencrypted form. For information about manually editing the key policy, see [Configure AWS KMS key policies for CloudTrail](./create-kms-key-policy-for-cloudtrail.html).