En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

Encrypt CloudTrail logs via Control Tower

0

Hi,

Currently I would like to encrypt CloudTrail logs in my Root account via a KMS key managed by me.

This trail exists in all my environments due to the use of Control Tower, through the Root account I have the possibility of adding the KMS key to the existing Landing Zone, but I would like to know if when applying this configuration, the other accounts will also be requesting this KMS key, and if so, how can I share this key with other accounts.

Sujets
Sécurité, identité et conformitéGestion et gouvernance
Balises
Service AWS Key ManagementSécurité, identité et conformitéTour de contrôle AWSGestion et gouvernanceAWS CloudTrail
Langue
English
Carlos Alexandre
demandé il y a 3 mois763 vues
1 réponse
1

Hi THere

You dont need to share the key with other accounts. To use a KMS key with AWS Control Tower, you must update the default KMS key policy by adding the minimum required permissions for AWS Config and AWS CloudTrail.

See https://docs.aws.amazon.com/controltower/latest/userguide/configure-kms-keys.html

profile pictureAWS
EXPERT
Matt-B
répondu il y a 3 mois

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents