AWS awscloudtrail medium security documentation change
Summary
Added references to digest files in KMS key policy requirements for SSE-KMS encryption
Security assessment
The change explicitly expands encryption requirements to include digest files, ensuring proper protection of both log files and digest files. Failure to encrypt digest files could leave sensitive audit trail metadata unprotected, making this a security documentation improvement.
Diff
diff --git a/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.md b/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.md index 61c2525e6..7ec277b64 100644 --- a//awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.md +++ b//awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.md @@ -23 +23 @@ For instructions, see [Setting bucket policy for multiple accounts](./cloudtrail -If you choose to enable SSE-KMS encryption, the KMS key policy must allow CloudTrail to use the key to encrypt your log files, and allow the users you specify to read log files in unencrypted form. For information about manually editing the key policy, see [Configure AWS KMS key policies for CloudTrail](./create-kms-key-policy-for-cloudtrail.html). +If you choose to enable SSE-KMS encryption, the KMS key policy must allow CloudTrail to use the key to encrypt your log files and digest files, and allow the users you specify to read log files or digest files in unencrypted form. For information about manually editing the key policy, see [Configure AWS KMS key policies for CloudTrail](./create-kms-key-policy-for-cloudtrail.html).