Menu
AWS CloudTrail
User Guide (Version 1.0)

Updating a Trail to Use Your CMK

To update a trail to use the customer master key (CMK) that you modified for CloudTrail, complete the following steps in the CloudTrail console.

To update a trail using the AWS CLI, see Enabling and disabling CloudTrail log file encryption with the AWS CLI.

To update a trail to use your CMK

  1. Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/.

  2. Navigate to the Configuration page for your trail.

  3. Click the pencil icon to the right of S3.

  4. Choose Advanced.

  5. For Encrypt log files, choose Yes to have CloudTrail encrypt your log files with the CMK.

  6. For Create a new KMS key, choose No.

  7. For KMS key, choose the CMK alias whose policy you modified for use with CloudTrail.

    Note

    Choose a CMK that is in the same region as the S3 bucket that receives your log files. To verify the region that an S3 bucket belongs to, inspect its properties in the S3 console.

    
                        Choose the CMK alias whose policy you have updated for use with
                            CloudTrail

    You can type the alias name, ARN, or the globally unique key ID. If the CMK belongs to another account, verify that the key policy has permissions that enable you to use it. The value can be one of the following formats:

    • Alias Name: alias/MyAliasName

    • Alias ARN: arn:aws:kms:us-east-1:123456789012:alias/MyAliasName

    • Key ARN: arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012

    • Globally unique key ID: 12345678-1234-1234-1234-123456789012

  8. Choose Save.

    Note

    If the CMK that you chose is disabled or is pending deletion, you won't be able to save the trail with that CMK. You can enable the CMK or choose another one. For more information, see How Key State Affects Use of a Customer Master Key.