By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Encrypt CloudTrail logs via Control Tower

0

Hi,

Currently I would like to encrypt CloudTrail logs in my Root account via a KMS key managed by me.

This trail exists in all my environments due to the use of Control Tower, through the Root account I have the possibility of adding the KMS key to the existing Landing Zone, but I would like to know if when applying this configuration, the other accounts will also be requesting this KMS key, and if so, how can I share this key with other accounts.

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
AWS Key Management ServiceSecurity, Identity, & ComplianceAWS Control TowerManagement & GovernanceAWS CloudTrail
Language
English
Carlos Alexandre
asked 2 months ago695 views
1 Answer
1

Hi THere

You dont need to share the key with other accounts. To use a KMS key with AWS Control Tower, you must update the default KMS key policy by adding the minimum required permissions for AWS Config and AWS CloudTrail.

See https://docs.aws.amazon.com/controltower/latest/userguide/configure-kms-keys.html

profile pictureAWS
EXPERT
Matt-B
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content