AWS Security ChangesHomeSearch

AWS awscloudtrail documentation change

Service: awscloudtrail · 2025-05-28 · Documentation low

File: awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.md

Summary

Expanded encryption documentation to include digest files and event data stores, clarified KMS key requirements, and updated procedures for trails/event data stores

Security assessment

The changes extend encryption documentation to cover digest files and event data stores (previously digest files were stated to use SSE-S3), emphasizing proper KMS key configuration. While this improves security posture by clarifying encryption scope, there's no evidence of addressing a specific vulnerability. The updates enhance documentation of existing security features rather than patching an issue.

Diff

diff --git a/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.md b/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.md
index db0d939bc..e4590a71a 100644
--- a//awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.md
+++ b//awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.md
@@ -7 +7 @@ Enabling log file encryption
-# Encrypting CloudTrail log files with AWS KMS keys (SSE-KMS)
+# Encrypting CloudTrail log files, digest files, and event data stores with AWS KMS keys (SSE-KMS)
@@ -9 +9 @@ Enabling log file encryption
-By default, the log files delivered by CloudTrail to your bucket are encrypted by using [server-side encryption with a KMS key (SSE-KMS)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html). If you don't enable SSE-KMS encryption, your logs are encrypted using [SSE-S3 encryption](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html).
+By default, the log files and digest files delivered by CloudTrail to your bucket are encrypted by using [server-side encryption with a KMS key (SSE-KMS)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html). If you don't enable SSE-KMS encryption, your log files and digest files are encrypted using [SSE-S3 encryption](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html).
@@ -13 +13 @@ By default, the log files delivered by CloudTrail to your bucket are encrypted b
-Enabling server-side encryption encrypts the log files but not the digest files with SSE-KMS. Digest files are encrypted with [Amazon S3-managed encryption keys (SSE-S3)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html).
+If you're using an existing S3 bucket with an [S3 bucket Key](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html), CloudTrail must be allowed permission in the key policy to use the AWS KMS actions `GenerateDataKey` and `DescribeKey`. If `cloudtrail.amazonaws.com` is not granted those permissions in the key policy, you cannot create or update a trail.
@@ -15,3 +15 @@ Enabling server-side encryption encrypts the log files but not the digest files
-If you are using an existing S3 bucket with an [S3 bucket Key](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html), CloudTrail must be allowed permission in the key policy to use the AWS KMS actions `GenerateDataKey` and `DescribeKey`. If `cloudtrail.amazonaws.com` is not granted those permissions in the key policy, you cannot create or update a trail.
-
-To use SSE-KMS with CloudTrail, you create and manage a KMS key, also known as an [AWS KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html). You attach a policy to the key that determines which users can use the key for encrypting and decrypting CloudTrail log files. The decryption is seamless through S3. When authorized users of the key read CloudTrail log files, S3 manages the decryption, and the authorized users are able to read log files in unencrypted form.
+To use SSE-KMS with CloudTrail, you create and manage a [AWS KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html). You attach a policy to the key that determines which users can use the key for encrypting and decrypting CloudTrail log files and digest files. The decryption is seamless through S3. When authorized users of the key read CloudTrail log files or digest files, S3 manages the decryption, and the authorized users are able to read the files in unencrypted form.
@@ -21 +19 @@ This approach has the following advantages:
-  * You can create and manage the KMS key encryption keys yourself.
+  * You can create and manage the KMS key yourself.
@@ -23 +21 @@ This approach has the following advantages:
-  * You can use a single KMS key to encrypt and decrypt log files for multiple accounts across all Regions.
+  * You can use a single KMS key to encrypt and decrypt log files and digest files for multiple accounts across all Regions.
@@ -25 +23 @@ This approach has the following advantages:
-  * You have control over who can use your key for encrypting and decrypting CloudTrail log files. You can assign permissions for the key to the users in your organization according to your requirements.
+  * You have control over who can use your key for encrypting and decrypting CloudTrail log files and digest files. You can assign permissions for the key to the users in your organization according to your requirements.
@@ -27 +25 @@ This approach has the following advantages:
-  * You have enhanced security. With this feature, to read log files, the following permissions are required:
+  * You have enhanced security. With this feature, to read log files or digest files, the following permissions are required:
@@ -29 +27 @@ This approach has the following advantages:
-    * A user must have S3 read permissions for the bucket that contains the log files.
+    * A user must have S3 read permissions for the bucket that contains the log files and digest files.
@@ -33 +31 @@ This approach has the following advantages:
-  * Because S3 automatically decrypts the log files for requests from users authorized to use the KMS key, SSE-KMS encryption for CloudTrail log files is backward-compatible with applications that read CloudTrail log data.
+  * Because S3 automatically decrypts the log files and digest files for requests from users authorized to use the KMS key, SSE-KMS encryption for the files is backward-compatible with applications that read CloudTrail log data.
@@ -40 +38,3 @@ This approach has the following advantages:
-The KMS key that you choose must be created in the same AWS Region as the Amazon S3 bucket that receives your log files. For example, if the log files will be stored in a bucket in the US East (Ohio) Region, you must create or choose a KMS key that was created in that Region. To verify the Region for an Amazon S3 bucket, inspect its properties in the Amazon S3 console.
+The KMS key that you choose must be created in the same AWS Region as the Amazon S3 bucket that receives your log files and digest files. For example, if the log files and digest files will be stored in a bucket in the US East (Ohio) Region, you must create or choose a KMS key that was created in that Region. To verify the Region for an Amazon S3 bucket, inspect its properties in the Amazon S3 console.
+
+By default, event data stores are encrypted by CloudTrail. You have the option to use your own KMS key for encryption when you create or update an event data store.
@@ -58 +58 @@ To enable SSE-KMS encryption for CloudTrail log files, perform the following hig
-The KMS key that you choose must be in the same Region as the S3 bucket that receives your log files. To verify the Region for an S3 bucket, inspect the bucket's properties in the S3 console. 
+The KMS key that you choose must be in the same Region as the S3 bucket that receives your log files and digest files. To verify the Region for an S3 bucket, inspect the bucket's properties in the S3 console. 
@@ -60 +60 @@ The KMS key that you choose must be in the same Region as the S3 bucket that rec
-  2. Add policy sections to the key that enable CloudTrail to encrypt and users to decrypt log files. 
+  2. Add policy sections to the key that enable CloudTrail to encrypt and users to decrypt log files and digest files. 
@@ -66 +66 @@ The KMS key that you choose must be in the same Region as the S3 bucket that rec
-Be sure to include decrypt permissions in the policy for all users who need to read log files. If you do not perform this step before adding the key to your trail configuration, users without decrypt permissions cannot read encrypted files until you grant them those permissions.
+Be sure to include decrypt permissions in the policy for all users who need to read log files or digest files. If you do not perform this step before adding the key to your trail configuration, users without decrypt permissions cannot read encrypted files until you grant them those permissions.
@@ -72 +72 @@ Be sure to include decrypt permissions in the policy for all users who need to r
-  3. Update your trail to use the KMS key whose policy you modified for CloudTrail.
+  3. Update your trail or event data store to use the KMS key whose policy you modified for CloudTrail.
@@ -74 +74 @@ Be sure to include decrypt permissions in the policy for all users who need to r
-     * To update your trail configuration by using the CloudTrail console, see [Updating a resource to use your KMS key with the console](./create-kms-key-policy-for-cloudtrail-update-trail.html).
+     * To update a trail or event data store using the CloudTrail console, see [Updating a resource to use your KMS key with the console](./create-kms-key-policy-for-cloudtrail-update-trail.html).
@@ -76 +76 @@ Be sure to include decrypt permissions in the policy for all users who need to r
-     * To update your trail configuration by using the AWS CLI, see [Enabling and disabling CloudTrail log file encryption with the AWS CLI](./cloudtrail-log-file-encryption-cli.html).
+     * To update a trail or event data store using the AWS CLI, see [Enabling and disabling encryption for CloudTrail log files, digest files and event data stores with the AWS CLI](./cloudtrail-log-file-encryption-cli.html).