Required CMK policy sections for use with CloudTrail
If you created a CMK in the CloudTrail console, CloudTrail adds the required CMK policy for you. You do not need to manually add the policy statements. See Default Key Policy Created in CloudTrail Console.
If you created a CMK with the IAM console or the AWS CLI, then you must, at minimum, add three statements to your CMK policy for it to work with CloudTrail.
When you add the new sections to your CMK policy, do not change any existing sections in the policy.
If encryption is enabled on a trail and the CMK is disabled or the CMK policy is not correctly configured for CloudTrail, CloudTrail will not deliver logs until the CMK issue is corrected.