Complete a 3 Question Survey and Earn a re:Post Badge

Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!

How do I use AWS KMS to encrypt log data in CloudWatch Logs?

3 minute read

I want to use AWS Key Management Service (AWS KMS) to encrypt log data in Amazon CloudWatch Logs.

Short description

By default, CloudWatch Logs uses server-side encryption (SSE) keys to encrypt log group data. To control log data encryption or adhere to your security policy, you can also use customer managed keys in AWS KMS.

Note: When you use AWS KMS encryption, you might incur increased costs.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

You can use an existing customer managed key to encrypt log data in a log group. If you don't have a customer managed key, then create a key before you begin.

Important: You can use only symmetric AWS KMS keys in CloudWatch Logs. Don't use asymmetric keys.

Grant CloudWatch Logs the necessary permissions to access the AWS KMS key

To grant CloudWatch Logs permissions to access the AWS KMS key, change the key policy. Make sure that the CloudWatch Logs service principal and the caller role have the required permissions to use the key.

Associate an AWS KMS key with a log group

You can associate an AWS KMS key during or after creation. It takes up to 5 minutes for your key to associate at encryption.

Associate an AWS KMS key during key creation

Complete the following steps:

Open the CloudWatch console.
In the navigation pane, choose Log groups.
Choose Create log group.
Enter a name and the AWS KMS key ARN for the log group.
Choose Create.

Or, run the following create-log-group AWS CLI command:

aws logs create-log-group --log-group-name example-log-group --kms-key-id example-key-arn

Note: Replace example-log-group with the log group name and example-key-arn with the AWS KMS key ID.

Associate an AWS KMS key after key creation

Note: You can't use the CloudWatch console to associate an AWS KMS key with an existing log group.

To associate an AWS KMS key after you created it, run the following associate-kms-key command:

aws logs associate-kms-key --log-group-name example-log-group --kms-key-id example-key-arn

Note: Replace example-log-group with the log group name and example-key-arn with the AWS KMS key ID.

You can also disassociate an AWS KMS key from a log group. After you disassociate or change an AWS KMS key, CloudWatch Logs can decrypt and return the log data. However, if you deactivate an AWS KMS key, then CloudWatch Logs can't read the logs that you encrypted with the key.

Related information

Encrypt log data in CloudWatch Logs using AWS Key Management Service

Data protection in Amazon CloudWatch Logs

Topics

Security, Identity, & Compliance Management & Governance Networking & Content Delivery

Relevant content

Is it possible to encrypt RDS logs exported to Cloudwatch using KMS ?
Accepted Answer
Ben
asked 3 months ago
Encrypt Amazon OpenSearch CloudWatch Logs using KMS key after setup?
Sonic
asked 16 days ago
How do you encrypt cloudwatch logs?
clouduser
asked a year ago
Can log destination work with KMS encrypted kinesis streams
Accepted Answer
WonderPhil
asked 3 years ago
Decrypt CloudWatch logs only if user has KMS access
exceltior
asked a year ago
How do I troubleshoot a failed export task in CloudWatch Logs?
AWS OFFICIALUpdated a year ago
How do I troubleshoot CloudWatch logs that fail to export to S3 buckets?
AWS OFFICIALUpdated a year ago
How do I retrieve log data from CloudWatch Logs?
AWS OFFICIALUpdated a year ago
How do I resolve Amazon EMR cluster logs that I can't view in an Amazon S3 bucket with an SSE-KMS encryption policy?
AWS OFFICIALUpdated 8 months ago
How can I send AWS WAF log to both CloudWatch logs and S3?
EXPERT
Lei Pei
published a year ago