AWS CloudTrail
User Guide (Version 1.0)

Enable CloudTrail to describe CMK properties

CloudTrail requires the ability to describe the properties of the CMK. To enable this functionality, add the following required statement as is to your CMK policy. This statement does not grant CloudTrail any permissions beyond the other permissions that you specify.

{ "Sid": "Allow CloudTrail access", "Effect": "Allow", "Principal": { "Service": "" }, "Action": "kms:DescribeKey", "Resource": "*" }

For steps on editing a CMK policy for use with CloudTrail, see Editing a Key Policy in the AWS Key Management Service Developer Guide.