AWS Security ChangesHomeSearch

AWS awscloudtrail documentation change

Service: awscloudtrail · 2025-05-28 · Documentation medium

File: awscloudtrail/latest/userguide/cloudtrail-log-file-encryption-cli.md

Summary

Expanded encryption documentation coverage to include digest files and event data stores in addition to log files. Updated CLI command references and key policy requirements to reflect broader encryption scope.

Security assessment

The changes enhance documentation about encrypting additional CloudTrail components (digest files, event data stores) using SSE-KMS. While encryption is a security feature, there is no indication this addresses a specific vulnerability or incident. The updates provide clearer guidance about securing multiple data types.

Diff

diff --git a/awscloudtrail/latest/userguide/cloudtrail-log-file-encryption-cli.md b/awscloudtrail/latest/userguide/cloudtrail-log-file-encryption-cli.md
index e9fa537bc..ecd1b6353 100644
--- a//awscloudtrail/latest/userguide/cloudtrail-log-file-encryption-cli.md
+++ b//awscloudtrail/latest/userguide/cloudtrail-log-file-encryption-cli.md
@@ -5 +5 @@
-Enabling CloudTrail log file encryption by using the AWS CLIDisabling CloudTrail log file encryption by using the AWS CLI
+Enabling encryption for CloudTrail log files, digest files, and event data stores by using the AWS CLIDisabling encryption for log files and digest files by using the AWS CLI
@@ -7 +7 @@ Enabling CloudTrail log file encryption by using the AWS CLIDisabling CloudTrail
-# Enabling and disabling CloudTrail log file encryption with the AWS CLI
+# Enabling and disabling encryption for CloudTrail log files, digest files and event data stores with the AWS CLI
@@ -9 +9 @@ Enabling CloudTrail log file encryption by using the AWS CLIDisabling CloudTrail
-This topic describes how to enable and disable SSE-KMS log file encryption for CloudTrail by using the AWS CLI. For background information, see [Encrypting CloudTrail log files with AWS KMS keys (SSE-KMS)](./encrypting-cloudtrail-log-files-with-aws-kms.html).
+This topic describes how to enable and disable SSE-KMS encryption for CloudTrail log files, digest files, and event data stores by using the AWS CLI. For background information, see [Encrypting CloudTrail log files, digest files, and event data stores with AWS KMS keys (SSE-KMS)](./encrypting-cloudtrail-log-files-with-aws-kms.html).
@@ -13 +13 @@ This topic describes how to enable and disable SSE-KMS log file encryption for C
-  * Enabling CloudTrail log file encryption by using the AWS CLI
+  * Enabling encryption for CloudTrail log files, digest files, and event data stores by using the AWS CLI
@@ -15 +15 @@ This topic describes how to enable and disable SSE-KMS log file encryption for C
-  * Disabling CloudTrail log file encryption by using the AWS CLI
+  * Disabling encryption for log files and digest files by using the AWS CLI
@@ -20 +20 @@ This topic describes how to enable and disable SSE-KMS log file encryption for C
-## Enabling CloudTrail log file encryption by using the AWS CLI
+## Enabling encryption for CloudTrail log files, digest files, and event data stores by using the AWS CLI
@@ -22 +22 @@ This topic describes how to enable and disable SSE-KMS log file encryption for C
-  * Enable log file encryption for a trail
+  * Enable log file and digest file encryption for a trail
@@ -24 +24 @@ This topic describes how to enable and disable SSE-KMS log file encryption for C
-  * Enable log file encryption for an event data store
+  * Enable encryption for an event data store
@@ -29 +29 @@ This topic describes how to enable and disable SSE-KMS log file encryption for C
-###### Enable log file encryption for a trail
+###### Enable encryption for log files and digest files for a trail
@@ -35 +35 @@ This topic describes how to enable and disable SSE-KMS log file encryption for C
-  3. Add required sections to the key policy so that CloudTrail can encrypt and users can decrypt your log files. Be sure that all users who read the log files are granted decrypt permissions. Do not change existing sections of the policy. For information about the policy sections to include, see [Configure AWS KMS key policies for CloudTrail](./create-kms-key-policy-for-cloudtrail.html).
+  3. Add required sections to the key policy so that CloudTrail can encrypt and users can decrypt your log files and digest files. Be sure that all users who read the log files are granted decrypt permissions. Do not change existing sections of the policy. For information about the policy sections to include, see [Configure AWS KMS key policies for CloudTrail](./create-kms-key-policy-for-cloudtrail.html).
@@ -39 +39 @@ This topic describes how to enable and disable SSE-KMS log file encryption for C
-  5. Run the CloudTrail `create-trail` or `update-trail` command with the `--kms-key-id` parameter. This command enables log encryption.
+  5. Run the CloudTrail `create-trail` or `update-trail` command with the `--kms-key-id` parameter. This command enables encryption of log files and digest files.
@@ -64 +64 @@ The following is an example response:
-The presence of the `KmsKeyId` element indicates that log file encryption has been enabled. The encrypted log files should appear in your bucket in about 5 minutes.
+The presence of the `KmsKeyId` element indicates that encryption for your log files has been enabled. If log file validation has been enabled (indicated by the `LogFileValidationEnabled` element being set to true), this also indicates that encryption has been enabled for your digest files. The encrypted log files and digest files should appear in the S3 bucket configured for the trail within approximately 5 minutes.
@@ -69 +69 @@ The presence of the `KmsKeyId` element indicates that log file encryption has be
-###### Enable log file encryption for an event data store
+###### Enable encryption for an event data store
@@ -75 +75 @@ The presence of the `KmsKeyId` element indicates that log file encryption has be
-  3. Add required sections to the key policy so that CloudTrail can encrypt and users can decrypt your log files. Be sure that all users who read the log files are granted decrypt permissions. Do not change existing sections of the policy. For information about the policy sections to include, see [Configure AWS KMS key policies for CloudTrail](./create-kms-key-policy-for-cloudtrail.html).
+  3. Add required sections to the key policy so that CloudTrail can encrypt and users can decrypt your event data store. Be sure that all users who read the event data store are granted decrypt permissions. Do not change existing sections of the policy. For information about the policy sections to include, see [Configure AWS KMS key policies for CloudTrail](./create-kms-key-policy-for-cloudtrail.html).
@@ -79 +79 @@ The presence of the `KmsKeyId` element indicates that log file encryption has be
-  5. Run the CloudTrail `create-event-data-store` or `update-event-data-store` command, and add the `--kms-key-id` parameter. This command enables log encryption.
+  5. Run the CloudTrail `create-event-data-store` or `update-event-data-store` command, and add the `--kms-key-id` parameter. This command enables encryption of the event data store.
@@ -114 +114 @@ The following is an example response:
-The presence of the `KmsKeyId` element indicates that log file encryption has been enabled. The encrypted log files should appear in your event data store in about 5 minutes.
+The presence of the `KmsKeyId` element indicates that encryption for event data store has been enabled.
@@ -119 +119 @@ The presence of the `KmsKeyId` element indicates that log file encryption has be
-## Disabling CloudTrail log file encryption by using the AWS CLI
+## Disabling encryption for log files and digest files by using the AWS CLI
@@ -121 +121 @@ The presence of the `KmsKeyId` element indicates that log file encryption has be
-To stop encrypting logs on a trail, run `update-trail` and pass an empty string to the `kms-key-id` parameter: 
+To stop encrypting log files and digest files for a trail, run `update-trail` and pass an empty string to the `kms-key-id` parameter: 
@@ -137 +137 @@ The following is an example response:
-The absence of the `KmsKeyId` value indicates that log file encryption is no longer enabled.
+The absence of the `KmsKeyId` value indicates that encryption for log files and digest files is no longer enabled.
@@ -141 +141 @@ The absence of the `KmsKeyId` value indicates that log file encryption is no lon
-You cannot stop log file encryption on an event data store.
+You cannot stop encryption for an event data store.