Updating a Trail to Use Your CMK - AWS CloudTrail

Updating a Trail to Use Your CMK

To update a trail to use the customer master key (CMK) that you modified for CloudTrail, complete the following steps in the CloudTrail console.


Updating a trail with the following procedure encrypts the log files but not the digest files with SSE-KMS. Digest files are encrypted with Amazon S3-managed encryption keys (SSE-S3).

If you are using an existing S3 bucket with an S3 Bucket Key, CloudTrail must be allowed permission in the key policy to use the AWS KMS actions GenerateDataKey and DescribeKey. If cloudtrail.amazonaws.com is not granted those permissions in the key policy, you cannot create or update a trail.

To update a trail using the AWS CLI, see Enabling and disabling CloudTrail log file encryption with the AWS CLI.

To update a trail to use your CMK

  1. Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/.

  2. Choose Trails and then choose a trail name.

  3. In General details, choose Edit.

  4. For Log file SSE-KMS encryption, if it is not already enabled, choose Enabled to encrypt your log files with SSE-KMS instead of SSE-S3. The default is Enabled. For more information about this encryption type, see Protecting Data Using Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3).

    Choose Existing to update your trail with your AWS KMS customer master key. Choose a CMK that is in the same region as the S3 bucket that receives your log files. To verify the region for an S3 bucket, view its properties in the S3 console.


    You can also type the ARN of a key from another account. For more information, see Updating a Trail to Use Your CMK. The key policy must allow CloudTrail to use the key to encrypt your log files, and allow the users you specify to read log files in unencrypted form. For information about manually editing the key policy, see Configure AWS KMS Key Policies for CloudTrail.

    In AWS KMS Alias, specify the alias for which you changed the policy for use with CloudTrail, in the format alias/MyAliasName. For more information, see Updating a Trail to Use Your CMK.

    You can type the alias name, ARN, or the globally unique key ID. If the CMK belongs to another account, verify that the key policy has permissions that enable you to use it. The value can be one of the following formats:

    • Alias Name: alias/MyAliasName

    • Alias ARN: arn:aws:kms:region:123456789012:alias/MyAliasName

    • Key ARN: arn:aws:kms:region:123456789012:key/12345678-1234-1234-1234-123456789012

    • Globally unique key ID: 12345678-1234-1234-1234-123456789012

  5. Choose Update trail.


    If the CMK that you chose is disabled or is pending deletion, you cannot save the trail with that CMK. You can enable the CMK or choose another one. For more information, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.