Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Default KMS key policy created in CloudTrail console

Focus mode
Default KMS key policy created in CloudTrail console - AWS CloudTrail

If you create an AWS KMS key in the CloudTrail console, the following policies are automatically created for you. The policy allows these permissions:

  • Allows AWS account (root) permissions for the KMS key.

  • Allows CloudTrail to encrypt log files under the KMS key and describe the KMS key.

  • Allows all users in the specified accounts to decrypt log files.

  • Allows all users in the specified account to create a KMS alias for the KMS key.

  • Enables cross-account log decryption for the account ID of the account that created the trail.

Default KMS key policy for CloudTrail Lake event data stores

The following is the default policy created for a AWS KMS key that you use with an event data store in CloudTrail Lake.

{ "Version": "2012-10-17", "Id": "Key policy created by CloudTrail", "Statement": [ { "Sid": "The key created by CloudTrail to encrypt event data stores. Created ${new Date().toUTCString()}", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Action": [ "kms:GenerateDataKey", "kms:Decrypt" ], "Resource": "*" }, { "Sid": "Enable IAM user permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::account-id:root" }, "Action": "kms:*", "Resource": "*" }, { "Sid": "Enable user to have permissions", "Effect": "Allow", "Principal": { "AWS" : "arn:aws:sts::account-id:role-arn" }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "*" } ] }

Default KMS key policy for trails

The following is the default policy created for a AWS KMS key that you use with a trail.

Note

The policy includes a statement to allow cross accounts to decrypt log files with the KMS key.

{ "Version": "2012-10-17", "Id": "Key policy created by CloudTrail", "Statement": [ { "Sid": "Enable IAM user permissions", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::account-id:root", "arn:aws:iam::account-id:user/username" ] }, "Action": "kms:*", "Resource": "*" }, { "Sid": "Allow CloudTrail to encrypt logs", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Action": "kms:GenerateDataKey*", "Resource": "*", "Condition": { "StringEquals": { "aws:SourceArn": "arn:aws:cloudtrail:region:account-id:trail/trail-name" }, "StringLike": { "kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:account-id:trail/*" } } }, { "Sid": "Allow CloudTrail to describe key", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Action": "kms:DescribeKey", "Resource": "*" }, { "Sid": "Allow principals in the account to decrypt log files", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": [ "kms:Decrypt", "kms:ReEncryptFrom" ], "Resource": "*", "Condition": { "StringEquals": { "kms:CallerAccount": "account-id" }, "StringLike": { "kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:account-id:trail/*" } } }, { "Sid": "Allow alias creation during setup", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": "kms:CreateAlias", "Resource": "arn:aws:kms:region:account-id:key/key-id", "Condition": { "StringEquals": { "kms:ViaService": "ec2.region.amazonaws.com", "kms:CallerAccount": "account-id" } } }, { "Sid": "Enable cross account log decryption", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": [ "kms:Decrypt", "kms:ReEncryptFrom" ], "Resource": "*", "Condition": { "StringEquals": { "kms:CallerAccount": "account-id" }, "StringLike": { "kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:account-id:trail/*" } } } ] }
PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.