AWS awscloudtrail documentation change
Summary
Expanded encryption documentation to include digest files in multiple sections
Security assessment
Adds clarification about encryption coverage for digest files, enhancing security documentation but not addressing specific vulnerabilities
Diff
diff --git a/awscloudtrail/latest/userguide/how-cloudtrail-works.md b/awscloudtrail/latest/userguide/how-cloudtrail-works.md index d44c56007..cb8bfad8c 100644 --- a//awscloudtrail/latest/userguide/how-cloudtrail-works.md +++ b//awscloudtrail/latest/userguide/how-cloudtrail-works.md @@ -46 +46 @@ If you have created an organization in AWS Organizations, you can create an _org -By default, all events in an event data store are encrypted by CloudTrail. When you configure an event data store, you can choose to use your own AWS KMS key. Using your own KMS key incurs AWS KMS costs for encryption and decryption. After you associate an event data store with a KMS key, the KMS key cannot be removed or changed. For more information, see [Encrypting CloudTrail log files with AWS KMS keys (SSE-KMS)](./encrypting-cloudtrail-log-files-with-aws-kms.html). +By default, all events in an event data store are encrypted by CloudTrail. When you configure an event data store, you can choose to use your own AWS KMS key. Using your own KMS key incurs AWS KMS costs for encryption and decryption. After you associate an event data store with a KMS key, the KMS key cannot be removed or changed. For more information, see [Encrypting CloudTrail log files, digest files, and event data stores with AWS KMS keys (SSE-KMS)](./encrypting-cloudtrail-log-files-with-aws-kms.html). @@ -112 +112 @@ If you have created an organization in AWS Organizations, you can create an _org -By default, when you create a trail in the CloudTrail console, your event log files are encrypted with a KMS key. If you choose not to enable **SSE-KMS encryption** , your event logs are encrypted using Amazon S3 server-side encryption (SSE). You can store your log files in your bucket for as long as you want. You can also define Amazon S3 lifecycle rules to archive or delete log files automatically. If you want notifications about log file delivery and validation, you can set up Amazon SNS notifications. +By default, when you create a trail in the CloudTrail console, your event log files and digest files are encrypted with a KMS key. If you choose not to enable **SSE-KMS encryption** , your event log files and digest files are encrypted using Amazon S3 server-side encryption (SSE). You can store your log files in your bucket for as long as you want. You can also define Amazon S3 lifecycle rules to archive or delete log files automatically. If you want notifications about log file delivery and validation, you can set up Amazon SNS notifications. @@ -146 +146 @@ If you configure a multi-Region trail to send events to a CloudWatch Logs log gr -[Enable log encryption](./encrypting-cloudtrail-log-files-with-aws-kms.html) | Log file encryption provides an extra layer of security for your log files. +[Enable SSE-KMS encryption](./encrypting-cloudtrail-log-files-with-aws-kms.html) | Encrypting your log files and digest files with a KMS key provides an extra layer of security for your CloudTrail data.