Encrypt CloudTrail logs via Control Tower



Currently I would like to encrypt CloudTrail logs in my Root account via a KMS key managed by me.

This trail exists in all my environments due to the use of Control Tower, through the Root account I have the possibility of adding the KMS key to the existing Landing Zone, but I would like to know if when applying this configuration, the other accounts will also be requesting this KMS key, and if so, how can I share this key with other accounts.

1 Answer

Hi THere

You dont need to share the key with other accounts. To use a KMS key with AWS Control Tower, you must update the default KMS key policy by adding the minimum required permissions for AWS Config and AWS CloudTrail.

See https://docs.aws.amazon.com/controltower/latest/userguide/configure-kms-keys.html

profile pictureAWS
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions