Updating a trail to use your KMS key - AWS CloudTrail

Updating a trail to use your KMS key

To update a trail to use the AWS KMS key that you modified for CloudTrail, complete the following steps in the CloudTrail console.


Updating a trail with the following procedure encrypts the log files but not the digest files with SSE-KMS. Digest files are encrypted with Amazon S3-managed encryption keys (SSE-S3).

If you are using an existing S3 bucket with an S3 Bucket Key, CloudTrail must be allowed permission in the key policy to use the AWS KMS actions GenerateDataKey and DescribeKey. If cloudtrail.amazonaws.com is not granted those permissions in the key policy, you cannot create or update a trail.

To update a trail using the AWS CLI, see Enabling and disabling CloudTrail log file encryption with the AWS CLI.

To update a trail to use your KMS key

  1. Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/.

  2. Choose Trails and then choose a trail name.

  3. In General details, choose Edit.

  4. For Log file SSE-KMS encryption, if it is not already enabled, choose Enabled to encrypt your log files with SSE-KMS instead of SSE-S3. The default is Enabled. For more information about this encryption type, see Protecting Data Using Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3).

    Choose Existing to update your trail with your AWS KMS key. Choose a KMS key that is in the same region as the S3 bucket that receives your log files. To verify the region for an S3 bucket, view its properties in the S3 console.


    You can also type the ARN of a key from another account. For more information, see Updating a trail to use your KMS key. The key policy must allow CloudTrail to use the key to encrypt your log files, and allow the users you specify to read log files in unencrypted form. For information about manually editing the key policy, see Configure AWS KMS key policies for CloudTrail.

    In AWS KMS Alias, specify the alias for which you chaned the policy for use with CloudTrail, in the format alias/MyAliasName. For more information, see Updating a trail to use your KMS key.

    You can type the alias name, ARN, or the globally unique key ID. If the KMS key belongs to another account, verify that the key policy has permissions that enable you to use it. The value can be one of the following formats:

    • Alias Name: alias/MyAliasName

    • Alias ARN: arn:aws:kms:region:123456789012:alias/MyAliasName

    • Key ARN: arn:aws:kms:region:123456789012:key/12345678-1234-1234-1234-123456789012

    • Globally unique key ID: 12345678-1234-1234-1234-123456789012

  5. Choose Update trail.


    If the KMS key that you chose is disabled or is pending deletion, you cannot save the trail with that KMS key. You can enable the KMS key or choose another one. For more information, see Key state: Effect on your KMS key in the AWS Key Management Service Developer Guide.