Case A: enable SSE-KMS encryption using a new KMS Customer Master Key:
01Create a policy that enables CloudTrail to encrypt and IAM users to decrypt the log files for the selected trail. Create a new policy document called cloudtrail-bucket-policy.json and paste the following (replace the highlighted details with your details):
{
"Version": "2012-10-17",
"Id": "Key policy created by CloudTrail",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::aws_account_id:user/iam_user_name"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow CloudTrail to encrypt logs",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "kms:GenerateDataKey*",
"Resource": "*",
"Condition": {
"StringLike": {
"kms:EncryptionContext:aws:cloudtrail:arn":
"arn:aws:cloudtrail:*:aws_account_id:trail/*"
}
}
},
{
"Sid": "Allow CloudTrail to describe key",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "kms:DescribeKey",
"Resource": "*"
},
{
"Sid": "Allow principals in the account to decrypt log files",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"kms:Decrypt",
"kms:ReEncryptFrom"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:CallerAccount": "aws_account_id"
},
"StringLike": {
"kms:EncryptionContext:aws:cloudtrail:arn":
"arn:aws:cloudtrail:*:aws_account_id:trail/*"
}
}
},
{
"Sid": "Allow alias creation during setup",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "kms:CreateAlias",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:CallerAccount": "aws_account_id",
"kms:ViaService": "ec2.aws_region_name.amazonaws.com"
}
}
},
{
"Sid": "Enable cross account log decryption",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"kms:Decrypt",
"kms:ReEncryptFrom"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:CallerAccount": "aws_account_id"
},
"StringLike": {
"kms:EncryptionContext:aws:cloudtrail:arn":
"arn:aws:cloudtrail:*:aws_account_id:trail/*"
}
}
}
]
}
02 Run create-key command (OSX/Linux/UNIX) using the policy created earlier to create the new CMK encryption key:
aws kms create-key
--policy file://cloudtrail-bucket-policy.json
03 The command output should return the new CMK configuration details:
{
"KeyMetadata": {
"KeyId": "265bb9c7-ccfc-4cf1-9686-54866f31d647",
"Enabled": true,
"KeyUsage": "ENCRYPT_DECRYPT",
"KeyState": "Enabled",
"CreationDate": 1460563726.544,
"Arn": "arn:aws:kms:us-east-1:123456789012:
key/265bb9c7-ccfc-4cf1-9686-54866f31d647",
"AWSAccountId": "123456789012"
}
}
04 Run create-alias command (OSX/Linux/UNIX) using your new Customer Master Key ID to attach a display name to the key:
aws kms create-alias
--alias-name alias/MyCloudTrailCMK
--target-key-id 265bb9c7-ccfc-4cf1-9686-54866f31d647
05 Run update-trail command (OSX/Linux/UNIX) using the trail name that you need to update and the new CMK key ID in order to enable SSE-KMS encryption for the trail log files:
aws cloudtrail update-trail
--name MyGlobalTrail
--kms-key-id 265bb9c7-ccfc-4cf1-9686-54866f31d647
06 The command output should return a valid ARN as KmsKeyId parameter value, which means that the SSE-KMS encryption is currently enabled for the selected CloudTrail trail:
{
"IncludeGlobalServiceEvents": true,
"Name": "MyGlobalTrail",
"TrailARN": "arn:aws:cloudtrail:us-east-1:
123456789012:trail/MyGlobalTrail",
"LogFileValidationEnabled": false,
"KmsKeyId": "arn:aws:kms:us-east-1:
123456789012:key/265bb9c7-ccfc-4cf1-9686-54866f31d647",
"S3BucketName": "cloudtrail-global-logging",
}
Case B: enable SSE-KMS encryption using an existing KMS Customer Master Key:
01Run list-aliases command (OSX/Linux/UNIX) to list all KMS customer master keys available in the selected AWS region. The existing key must be in the same region with the S3 bucket that receives the log files:
aws kms list-aliases
--region us-east-1
02The command output should return all available customer master keys and their configuration details (alias name, alias ARN, target key ID):
{
"Aliases": [
{
"AliasArn": "arn:aws:kms:us-east-1:123456789012:
alias/MyCloudTrailCMK",
"AliasName": "alias/MyCloudTrailCMK",
"TargetKeyId": "0a865351-7c39-4ef1-a4a3-03280af8ee05"
},
{
"AliasArn": "arn:aws:kms:us-east-1:123456789012:
alias/MyEBSMasterKey",
"AliasName": "alias/MyEBSMasterKey",
"TargetKeyId": "2c165454-f692-4585-b814-81a255142894"
}
]
}
03Run update-trail command (OSX/Linux/UNIX) using the selected trail name and the Customer Master Key alias name to update the trail configuration and enable SSE-KMS encryption:
aws cloudtrail update-trail
--name MyGlobalTrail
--kms-key-id alias/MyCloudTrailCMK
04The command output should return the new configuration details for the selected trail. Since the SSE-KMS encryption for the selected trail is now enabled, the KmsKeyId parameter value should match your existing Customer Master Key ARN:
{
"IncludeGlobalServiceEvents": true,
"Name": "MyGlobalTrail",
"TrailARN": "arn:aws:cloudtrail:us-east-1:
123456789012:trail/MyGlobalTrail",
"LogFileValidationEnabled": false,
"KmsKeyId": "arn:aws:kms:us-east-1:
123456789012:key/4df6fa10-a6af-4732-a876-c15723a123f9",
"IsMultiRegionTrail": true,
"S3BucketName": "cloudtrail-global-logging",
}