AWS Security ChangesHomeSearch

AWS awscloudtrail medium security documentation change

Service: awscloudtrail · 2025-05-28 · Security-related medium

File: awscloudtrail/latest/userguide/default-kms-key-policy.md

Summary

Updated KMS key policy documentation to include digest files in encryption/decryption permissions and reorganized sections about CloudTrail Lake event data stores

Security assessment

The change explicitly adds 'digest files' to both encryption (kms:GenerateDataKey) and decryption (kms:Decrypt) permissions in the default KMS key policy. This indicates an expansion of cryptographic protections to include digest files, which could contain sensitive integrity verification data. Failing to properly encrypt/decrypt digest files could lead to tampering risks or operational issues. The reorganization does not introduce security changes but clarifies documentation structure.

Diff

diff --git a/awscloudtrail/latest/userguide/default-kms-key-policy.md b/awscloudtrail/latest/userguide/default-kms-key-policy.md
index 08645bfa9..d59b3757c 100644
--- a//awscloudtrail/latest/userguide/default-kms-key-policy.md
+++ b//awscloudtrail/latest/userguide/default-kms-key-policy.md
@@ -5 +5 @@
-Default KMS key policy for CloudTrail Lake event data stores Default KMS key policy for trails
+Default KMS key policy for trailsDefault KMS key policy for CloudTrail Lake event data stores 
@@ -13 +13 @@ If you create an AWS KMS key in the CloudTrail console, the following policies a
-  * Allows CloudTrail to encrypt log files under the KMS key and describe the KMS key.
+  * Allows CloudTrail to encrypt log files and digest files under the KMS key and describe the KMS key.
@@ -15 +15 @@ If you create an AWS KMS key in the CloudTrail console, the following policies a
-  * Allows all users in the specified accounts to decrypt log files.
+  * Allows all users in the specified accounts to decrypt log files and digest files.
@@ -26,2 +25,0 @@ If you create an AWS KMS key in the CloudTrail console, the following policies a
-  * Default KMS key policy for CloudTrail Lake event data stores 
-
@@ -29,0 +28 @@ If you create an AWS KMS key in the CloudTrail console, the following policies a
+  * Default KMS key policy for CloudTrail Lake event data stores 
@@ -33,44 +31,0 @@ If you create an AWS KMS key in the CloudTrail console, the following policies a
-## Default KMS key policy for CloudTrail Lake event data stores 
-
-The following is the default policy created for a AWS KMS key that you use with an event data store in CloudTrail Lake.
-    
-    
-    {
-          "Version": "2012-10-17",
-          "Id": "Key policy created by CloudTrail",
-          "Statement": [
-            {
-              "Sid": "The key created by CloudTrail to encrypt event data stores. Created ${new Date().toUTCString()}",
-              "Effect": "Allow",
-              "Principal": {
-                "Service": "cloudtrail.amazonaws.com"
-              },
-              "Action": [
-                "kms:GenerateDataKey",
-                "kms:Decrypt"
-              ],
-              "Resource": "*"
-            },
-            {
-              "Sid": "Enable IAM user permissions",
-              "Effect": "Allow",
-              "Principal": {
-                "AWS": "arn:aws:iam::account-id:root"
-              },
-              "Action": "kms:*",
-              "Resource": "*"
-            },
-            {
-              "Sid": "Enable user to have permissions",
-              "Effect": "Allow",
-              "Principal": {
-                "AWS" : "arn:aws:sts::account-id:role-arn"
-              },
-              "Action": [
-                "kms:Decrypt",
-                "kms:GenerateDataKey"
-               ],
-              "Resource": "*"
-            }
-          ]
-        }
@@ -84 +39 @@ The following is the default policy created for a AWS KMS key that you use with
-The policy includes a statement to allow cross accounts to decrypt log files with the KMS key.
+The policy includes a statement to allow cross accounts to decrypt log files and digest files with the KMS key.
@@ -186,0 +142,45 @@ The policy includes a statement to allow cross accounts to decrypt log files wit
+## Default KMS key policy for CloudTrail Lake event data stores 
+
+The following is the default policy created for a AWS KMS key that you use with an event data store in CloudTrail Lake.
+    
+    
+    {
+          "Version": "2012-10-17",
+          "Id": "Key policy created by CloudTrail",
+          "Statement": [
+            {
+              "Sid": "The key created by CloudTrail to encrypt event data stores. Created ${new Date().toUTCString()}",
+              "Effect": "Allow",
+              "Principal": {
+                "Service": "cloudtrail.amazonaws.com"
+              },
+              "Action": [
+                "kms:GenerateDataKey",
+                "kms:Decrypt"
+              ],
+              "Resource": "*"
+            },
+            {
+              "Sid": "Enable IAM user permissions",
+              "Effect": "Allow",
+              "Principal": {
+                "AWS": "arn:aws:iam::account-id:root"
+              },
+              "Action": "kms:*",
+              "Resource": "*"
+            },
+            {
+              "Sid": "Enable user to have permissions",
+              "Effect": "Allow",
+              "Principal": {
+                "AWS" : "arn:aws:sts::account-id:role-arn"
+              },
+              "Action": [
+                "kms:Decrypt",
+                "kms:GenerateDataKey"
+               ],
+              "Resource": "*"
+            }
+          ]
+        }
+