CloudTrail Encryption

  • By default, the log files delivered by CloudTrail to your bucket are encrypted by server-side encryption with S3-managed encryption keys (SSE-S3).

  • To provide a security layer that is directly manageable, you can instead use server-side encryption with KMS-managed keys (SSE-KMS) for your CloudTrail log files.

  • Enabling server-side encryption encrypts the log files but not the digest files with SSE-KMS.

  • Digest files are encrypted with S3-managed encryption keys (SSE-S3).

  • To use SSE-KMS with CloudTrail, you create and manage a KMS key, also known as a CMK.

  • You attach a policy to the key that determines which users can use the key for encrypting and decrypting CloudTrail log files and the decryption is seamless through S3.

  • When authorized users of the key read CloudTrail log files, S3 manages the decryption, and the authorized users are able to read log files in unencrypted form.

PreviousKinesis Data AnalyticsNextS3 Server-side Encryption

Last updated