Menu
AWS CloudTrail
User Guide (Version 1.0)

Default Key Policy Created in CloudTrail Console

If you create a customer master key (CMK) in the CloudTrail console, the following policy is automatically created for you. The policy allows these permissions:

  • Allows AWS account (root) permissions for the CMK

  • Allows CloudTrail to encrypt log files under the CMK and describe the CMK

  • Allows all users in the specified accounts to decrypt log files

  • Allows all users in the specified account to create a KMS alias for the CMK

Copy
{ "Version": "2012-10-17", "Id": "Key policy created by CloudTrail", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": {"AWS": [ "arn:aws:iam::aws-account-id:root", "arn:aws:iam::aws-account-id:user/username" ]}, "Action": "kms:*", "Resource": "*" }, { "Sid": "Allow CloudTrail to encrypt logs", "Effect": "Allow", "Principal": {"Service": ["cloudtrail.amazonaws.com"]}, "Action": "kms:GenerateDataKey*", "Resource": "*", "Condition": {"StringLike": {"kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:aws-account-id:trail/*"}} }, { "Sid": "Allow CloudTrail to describe key", "Effect": "Allow", "Principal": {"Service": ["cloudtrail.amazonaws.com"]}, "Action": "kms:DescribeKey", "Resource": "*" }, { "Sid": "Allow principals in the account to decrypt log files", "Effect": "Allow", "Principal": {"AWS": "*"}, "Action": [ "kms:Decrypt", "kms:ReEncryptFrom" ], "Resource": "*", "Condition": { "StringEquals": {"kms:CallerAccount": "aws-account-id"}, "StringLike": {"kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:aws-account-id:trail/*"} } }, { "Sid": "Allow alias creation during setup", "Effect": "Allow", "Principal": {"AWS": "*"}, "Action": "kms:CreateAlias", "Resource": "*", "Condition": {"StringEquals": { "kms:ViaService": "ec2.region.amazonaws.com", "kms:CallerAccount": "aws-account-id" }} }, { "Sid": "Enable cross account log decryption", "Effect": "Allow", "Principal": {"AWS": "*"}, "Action": [ "kms:Decrypt", "kms:ReEncryptFrom" ], "Resource": "*", "Condition": { "StringEquals": {"kms:CallerAccount": "aws-account-id"}, "StringLike": {"kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:aws-account-id:trail/*"} } } ] }

Note

The policy's final statement allows cross accounts to decrypt log files with the CMK.