AWS Security ChangesHomeSearch

AWS awscloudtrail medium security documentation change

Service: awscloudtrail · 2025-05-28 · Security-related medium

File: awscloudtrail/latest/userguide/cloudtrail-update-a-trail-console.md

Summary

Expanded SSE-KMS encryption documentation to explicitly include digest files in multiple sections

Security assessment

The documentation now clarifies that both log files and digest files require encryption protection. This addresses a potential misconfiguration risk where digest files might have been left unencrypted due to incomplete documentation, improving security posture for audit trail integrity.

Diff

diff --git a/awscloudtrail/latest/userguide/cloudtrail-update-a-trail-console.md b/awscloudtrail/latest/userguide/cloudtrail-update-a-trail-console.md
index cc2acc229..291a028de 100644
--- a//awscloudtrail/latest/userguide/cloudtrail-update-a-trail-console.md
+++ b//awscloudtrail/latest/userguide/cloudtrail-update-a-trail-console.md
@@ -64 +64 @@ To make it easier to find your logs, create a new folder (also known as a _prefi
-    3. For **Log file SSE-KMS encryption** , choose **Enabled** if you want to encrypt your log files using SSE-KMS encryption instead of SSE-S3 encryption. The default is **Enabled**. If you don't enable SSE-KMS encryption, your logs are encrypted using SSE-S3 encryption. For more information about SSE-KMS encryption, see [Using server-side encryption with AWS Key Management Service (SSE-KMS)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html). For more information about SSE-S3 encryption, see [Using Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html).
+    3. For **Log file SSE-KMS encryption** , choose **Enabled** if you want to encrypt your log files and digest files using SSE-KMS encryption instead of SSE-S3 encryption. The default is **Enabled**. If you don't enable SSE-KMS encryption, your log files and digest files are encrypted using SSE-S3 encryption. For more information about SSE-KMS encryption, see [Using server-side encryption with AWS Key Management Service (SSE-KMS)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html). For more information about SSE-S3 encryption, see [Using Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html).
@@ -70 +70 @@ If you enable SSE-KMS encryption, choose a **New** or **Existing** AWS KMS key.
-You can also type the ARN of a key from another account. For more information, see [Updating a resource to use your KMS key with the console](./create-kms-key-policy-for-cloudtrail-update-trail.html). The key policy must allow CloudTrail to use the key to encrypt your log files, and allow the users you specify to read log files in unencrypted form. For information about manually editing the key policy, see [Configure AWS KMS key policies for CloudTrail](./create-kms-key-policy-for-cloudtrail.html).
+You can also type the ARN of a key from another account. For more information, see [Updating a resource to use your KMS key with the console](./create-kms-key-policy-for-cloudtrail-update-trail.html). The key policy must allow CloudTrail to use the key to encrypt your log files and digest files, and allow the users you specify to read log files or digest files in unencrypted form. For information about manually editing the key policy, see [Configure AWS KMS key policies for CloudTrail](./create-kms-key-policy-for-cloudtrail.html).