AWS Security ChangesHomeSearch

AWS awscloudtrail documentation change

Service: awscloudtrail · 2025-05-28 · Documentation medium

File: awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail-update-trail.md

Summary

Updated documentation to reflect that digest files are now encrypted with SSE-KMS when enabled, expanded CLI references to include digest files and event data stores, and clarified encryption scope for KMS keys

Security assessment

The changes explicitly extend encryption coverage to digest files (previously only encrypted with SSE-S3) and event data stores when using KMS keys. While this improves security posture by ensuring more components use KMS encryption, there is no evidence this addresses an active security vulnerability. The update primarily documents expanded security capabilities rather than patching a known issue.

Diff

diff --git a/awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail-update-trail.md b/awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail-update-trail.md
index d52dcee8b..52a4c763f 100644
--- a//awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail-update-trail.md
+++ b//awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail-update-trail.md
@@ -9 +9 @@ Update a trail to use a KMS keyUpdate an event data store to use a KMS key
-In the CloudTrail console, update a trail or an event data store to use an AWS Key Management Service key. Be aware that using your own KMS key incurs AWS KMS costs for encryption and decryption. For more information, see [AWS Key Management Service Pricing](https://aws.amazon.com/kms/pricing/).
+On the CloudTrail console, update a trail or an event data store to use an KMS key. Be aware that using your own KMS key incurs AWS KMS costs for encryption and decryption. For more information, see [AWS Key Management Service Pricing](https://aws.amazon.com/kms/pricing/).
@@ -26,2 +25,0 @@ To update a trail to use the AWS KMS key that you modified for CloudTrail, compl
-Updating a trail with the following procedure encrypts the log files but not the digest files with SSE-KMS. Digest files are encrypted with [Amazon S3-managed encryption keys (SSE-S3)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html).
-
@@ -30 +28 @@ If you are using an existing S3 bucket with an [S3 Bucket Key](https://docs.aws.
-To update a trail using the AWS CLI, see [Enabling and disabling CloudTrail log file encryption with the AWS CLI](./cloudtrail-log-file-encryption-cli.html).
+To update a trail using the AWS CLI, see [Enabling and disabling encryption for CloudTrail log files, digest files and event data stores with the AWS CLI](./cloudtrail-log-file-encryption-cli.html).
@@ -40 +38 @@ To update a trail using the AWS CLI, see [Enabling and disabling CloudTrail log
-  4. For **Log file SSE-KMS encryption** , choose **Enabled** if you want to encrypt your log files using SSE-KMS encryption instead of SSE-S3 encryption. The default is **Enabled**. If you don't enable SSE-KMS encryption, your logs are encrypted using SSE-S3 encryption. For more information about SSE-KMS encryption, see [Using server-side encryption with AWS Key Management Service (SSE-KMS)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html). For more information about SSE-S3 encryption, see [Using Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html).
+  4. For **Log file SSE-KMS encryption** , choose **Enabled** if you want to encrypt your log files and digest files using SSE-KMS encryption instead of SSE-S3 encryption. The default is **Enabled**. If you don't enable SSE-KMS encryption, your log files and digest files are encrypted using SSE-S3 encryption. For more information about SSE-KMS encryption, see [Using server-side encryption with AWS Key Management Service (SSE-KMS)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html). For more information about SSE-S3 encryption, see [Using Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html).
@@ -46 +44 @@ Choose **Existing** to update your trail with your AWS KMS key. Choose a KMS key
-You can also type the ARN of a key from another account. For more information, see [Updating a resource to use your KMS key with the console](./create-kms-key-policy-for-cloudtrail-update-trail.html). The key policy must allow CloudTrail to use the key to encrypt your log files, and allow the users you specify to read log files in unencrypted form. For information about manually editing the key policy, see [Configure AWS KMS key policies for CloudTrail](./create-kms-key-policy-for-cloudtrail.html).
+You can also type the ARN of a key from another account. For more information, see [Updating a resource to use your KMS key with the console](./create-kms-key-policy-for-cloudtrail-update-trail.html). The key policy must allow CloudTrail to use the key to encrypt your log files and digest files, and allow the users you specify to read log files or digest files in unencrypted form. For information about manually editing the key policy, see [Configure AWS KMS key policies for CloudTrail](./create-kms-key-policy-for-cloudtrail.html).
@@ -87 +85 @@ Disabling or deleting the KMS key, or removing CloudTrail permissions on the key
-  4. For **Encryption** , if it is not already enabled, choose **Use my own AWS KMS key** to encrypt your log files with your own KMS key.
+  4. For **Encryption** , if it is not already enabled, choose **Use my own AWS KMS key** to encrypt your event data store with your own KMS key.
@@ -120 +118 @@ Default KMS key policy created in CloudTrail console
-Enabling and disabling CloudTrail log file encryption with the AWS CLI
+Enabling and disabling encryption for CloudTrail log files, digest files and event data stores with the AWS CLI