CloudTrail KMS Policies
- Enable CloudTrail log encrypt permissions. See Granting encrypt permissions.
- Enable CloudTrail log decrypt permissions. See Grantind decrypt permissions.
- Enable CloudTrail to describe KMS key properties. See Enable CloudTrail to describe KMS key properties.
AWS Documentation
Granting encrypt permissions
| {
"Sid": "Allow CloudTrail to encrypt logs",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "kms:GenerateDataKey*",
"Resource": "arn:aws:kms:<region code>:<account id>:key/<kms key id>",
"Condition": {
"StringLike": {
"kms:EncryptionContext:aws:cloudtrail:arn": [
"arn:aws:cloudtrail:*:<account id>:trail/*"
]
},
"StringEquals": {
"aws:SourceArn": "arn:aws:cloudtrail:<region code>:<account id>:trail/<trail name>"
}
}
}
|
AWS Documentation
Granting decrypt permissions
Before you add your KMS key to your CloudTrail configuration, it is important to give decrypt permissions to all users who require them.
Users who have encrypt permissions but no decrypt permissions will not be able to read encrypted logs.
If you are using an existing S3 bucket with an S3 Bucket Key, kms:Decrypt
permissions are required to create or update a trail with SSE-KMS encryption enabled.
| {
"Sid": "Enable CloudTrail log decrypt permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account id>:user/<user name>"
},
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"Null": {
"kms:EncryptionContext:aws:cloudtrail:arn": "false"
}
}
}
|
AWS Documentation
Enable CloudTrail to describe KMS key properties
| {
"Sid": "Allow CloudTrail access",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "kms:DescribeKey",
"Resource": "arn:aws:kms:<region code>:<account id>:key/<key id>",
"Condition": {
"StringEquals": {
"aws:SourceArn": "arn:aws:cloudtrail:<region code>:<account id>:trail/<trail name>"
}
}
}
|
AWS Documentation