AWS awscloudtrail medium security documentation change
Summary
Updated KMS key policy documentation to include digest files in encryption/decryption permissions and reorganized sections about CloudTrail Lake event data stores
Security assessment
The change explicitly adds 'digest files' to both encryption (kms:GenerateDataKey) and decryption (kms:Decrypt) permissions in the default KMS key policy. This indicates an expansion of cryptographic protections to include digest files, which could contain sensitive integrity verification data. Failing to properly encrypt/decrypt digest files could lead to tampering risks or operational issues. The reorganization does not introduce security changes but clarifies documentation structure.
Diff
diff --git a/awscloudtrail/latest/userguide/default-kms-key-policy.md b/awscloudtrail/latest/userguide/default-kms-key-policy.md index 08645bfa9..d59b3757c 100644 --- a//awscloudtrail/latest/userguide/default-kms-key-policy.md +++ b//awscloudtrail/latest/userguide/default-kms-key-policy.md @@ -5 +5 @@ -Default KMS key policy for CloudTrail Lake event data stores Default KMS key policy for trails +Default KMS key policy for trailsDefault KMS key policy for CloudTrail Lake event data stores @@ -13 +13 @@ If you create an AWS KMS key in the CloudTrail console, the following policies a - * Allows CloudTrail to encrypt log files under the KMS key and describe the KMS key. + * Allows CloudTrail to encrypt log files and digest files under the KMS key and describe the KMS key. @@ -15 +15 @@ If you create an AWS KMS key in the CloudTrail console, the following policies a - * Allows all users in the specified accounts to decrypt log files. + * Allows all users in the specified accounts to decrypt log files and digest files. @@ -26,2 +25,0 @@ If you create an AWS KMS key in the CloudTrail console, the following policies a - * Default KMS key policy for CloudTrail Lake event data stores - @@ -29,0 +28 @@ If you create an AWS KMS key in the CloudTrail console, the following policies a + * Default KMS key policy for CloudTrail Lake event data stores @@ -33,44 +31,0 @@ If you create an AWS KMS key in the CloudTrail console, the following policies a -## Default KMS key policy for CloudTrail Lake event data stores - -The following is the default policy created for a AWS KMS key that you use with an event data store in CloudTrail Lake. - - - { - "Version": "2012-10-17", - "Id": "Key policy created by CloudTrail", - "Statement": [ - { - "Sid": "The key created by CloudTrail to encrypt event data stores. Created ${new Date().toUTCString()}", - "Effect": "Allow", - "Principal": { - "Service": "cloudtrail.amazonaws.com" - }, - "Action": [ - "kms:GenerateDataKey", - "kms:Decrypt" - ], - "Resource": "*" - }, - { - "Sid": "Enable IAM user permissions", - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::account-id:root" - }, - "Action": "kms:*", - "Resource": "*" - }, - { - "Sid": "Enable user to have permissions", - "Effect": "Allow", - "Principal": { - "AWS" : "arn:aws:sts::account-id:role-arn" - }, - "Action": [ - "kms:Decrypt", - "kms:GenerateDataKey" - ], - "Resource": "*" - } - ] - } @@ -84 +39 @@ The following is the default policy created for a AWS KMS key that you use with -The policy includes a statement to allow cross accounts to decrypt log files with the KMS key. +The policy includes a statement to allow cross accounts to decrypt log files and digest files with the KMS key. @@ -186,0 +142,45 @@ The policy includes a statement to allow cross accounts to decrypt log files wit +## Default KMS key policy for CloudTrail Lake event data stores + +The following is the default policy created for a AWS KMS key that you use with an event data store in CloudTrail Lake. + + + { + "Version": "2012-10-17", + "Id": "Key policy created by CloudTrail", + "Statement": [ + { + "Sid": "The key created by CloudTrail to encrypt event data stores. Created ${new Date().toUTCString()}", + "Effect": "Allow", + "Principal": { + "Service": "cloudtrail.amazonaws.com" + }, + "Action": [ + "kms:GenerateDataKey", + "kms:Decrypt" + ], + "Resource": "*" + }, + { + "Sid": "Enable IAM user permissions", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::account-id:root" + }, + "Action": "kms:*", + "Resource": "*" + }, + { + "Sid": "Enable user to have permissions", + "Effect": "Allow", + "Principal": { + "AWS" : "arn:aws:sts::account-id:role-arn" + }, + "Action": [ + "kms:Decrypt", + "kms:GenerateDataKey" + ], + "Resource": "*" + } + ] + } +