Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I resolve CloudTrail encryption permission errors when I create or update my trail?

4 minute read
0

When I try to create an AWS CloudTrail trail or update an existing trail, I receive an "InsufficientEncryptionPolicyException" or "Insufficient permissions" error.

Resolution

To create or update a CloudTrail trail with encrypted logs, CloudTrail requires permissions to write logs to the Amazon Simple Storage Service (Amazon S3) bucket with AWS Key Management Service (AWS KMS) encryption.

To resolve an "InsufficientEncryptionPolicyException" or "Insufficient permissions to access S3 bucket or KMS key" error, update the AWS KMS key policy. Then, configure the Amazon S3 bucket policy with the required CloudTrail permissions.

Update the AWS KMS key policy to allow CloudTrail encryption

Complete the following steps:

  1. Open the CloudTrail console.

  2. Select your CloudTrail trail.

  3. Under Log file SSE-KMS encryption, copy the AWS KMS key ID.

  4. Open the AWS KMS console.

  5. Search for the AWS KMS key ID, and then select your key from the AWS KMS key list.

  6. Choose Permissions.

  7. Under Key policy, choose Switch to policy view.

  8. Choose Edit.

  9. Check that your AWS KMS key policy has the following permissions:

    {
    "Version": "2012-10-17",
    "Id": "Key policy created by CloudTrail",
    "Statement": [
        {
            "Sid": "Enable admin permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::111122223333:root"
                ]
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow CloudTrail to encrypt logs",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudtrail.amazonaws.com"
             },
            "Action": "kms:GenerateDataKey*",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:SourceArn": "arn:aws:cloudtrail:region:111122223333:trail/trailName"
                }
            }
        },
        {
            "Sid": "Allow CloudTrail to describe key",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudtrail.amazonaws.com"
             },
            "Action": "kms:DescribeKey",
            "Resource": "*"
        },
        {
            "Sid": "Allow principals in other account to decrypt log files",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
             },
            "Action": [
                "kms:Decrypt",
                "kms:ReEncryptFrom"
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:111122223333:trail/*"
                }
            }
        }
    ]
}

    Note: Replace the arn:aws:iam::111122223333:root with the Amazon Resource Name (ARN) of your AWS Identity and Access Management (IAM). Replace the arn:aws:cloudtrail:region:111122223333:trail/trailName with the ARN of your CloudTrail trail.

Update the S3 bucket policy to allow CloudTrail permissions to write logs

Important: Replace arn:aws:cloudtrail:region:111122223333:trail/trailName with the ARN of your CloudTrail trail's ARN, Bucket_Name with your S3 bucket name, and managementAccountID and o-organizationID with your AWS Organizations details. If you use a prefix, then replace optionalPrefix with your prefix path.

If you created the trail in an organization, then update the S3 bucket policy with the following policy statement:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSCloudTrailAclCheck",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "cloudtrail.amazonaws.com"
                ]
            },
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::Bucket_Name",
            "Condition": {
                "StringEquals": {
                    "aws:SourceArn": "arn:aws:cloudtrail:region:111122223333:trail/trailName"
                }
            }
        },
        {
            "Sid": "AWSCloudTrailWrite",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "cloudtrail.amazonaws.com"
                ]
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::Bucket_Name/AWSLogs/managementAccountID/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control",
                    "aws:SourceArn": "arn:aws:cloudtrail:region:111122223333:trail/trailName"
                }
            }
        },
        {
            "Sid": "AWSCloudTrailOrganizationWrite",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "cloudtrail.amazonaws.com"
                ]
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::Bucket_Name/AWSLogs/o-organizationID/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control",
                    "aws:SourceArn": "arn:aws:cloudtrail:region:111122223333:trail/trailName"
                }
            }
        }
    ]
}

If you didn't create the trail in an organization, then update the S3 bucket policy with the following policy statement instead:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AWSCloudTrailAclCheck",
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudtrail.amazonaws.com"
      },
      "Action": "s3:GetBucketAcl",
      "Resource": "arn:aws:s3:::Bucket_Name",
      "Condition": {
        "StringEquals": {
          "aws:SourceArn": "arn:aws:cloudtrail:region:111122223333:trail/trailName"
        }
      }
    },
    {
      "Sid": "AWSCloudTrailWritePermissions",
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudtrail.amazonaws.com"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::Bucket_Name/optionalPrefix/AWSLogs/111122223333/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-acl": "bucket-owner-full-control",
          "aws:SourceArn": "arn:aws:cloudtrail:region:111122223333:trail/trailName"
        }
      }
    }
  ]
}

(Optional) Update the S3 bucket policy for an existing trail

Note: This option isn't available when you create a new trail.

Complete the following steps:

  1. Open the CloudTrail console.
  2. In the navigation pane, choose Trails, and then choose your trail name.
  3. Under General details, locate the "Bucket access denied" error.
  4. Choose Fix policy. Then, in the pop-up window, choose Fix policy again.
    Note: The Fix policy function automatically updates your S3 bucket policy and resolves the "Bucket access denied" error. It takes some time for the policy changes to propagate. After the changes take effect, the console displays Logging. You can also log in to the S3 bucket to confirm that the bucket has the correct policy.

Related information

Amazon S3 bucket policy for CloudTrail

Configure AWS KMS key policies for CloudTrail to access S3 bucket or KMS key

Topics
Management & GovernanceStorageSecurity, Identity, & Compliance
Tags
AWS Key Management ServiceAWS CloudTrailAmazon Simple Storage Service
Language
English
AWS OFFICIALUpdated a month ago
No comments

Relevant content