amazon-web-servicesencryptionamazon-kmsamazon-cloudtrail

Are multi-region KMS keys required for encrypting a multi-region CloudTrail trail?


I have a multi-region trail defined with Terraform that I'm trying to encrypt with KMS. My trail covers four AWS regions: us-east-1, us-west-2, eu-west-2, and eu-central-1 and I'm creating a KMS key for encrypting the log files and adding the appropriate permissions per the AWS docs. However, it's not clear whether or not this needs to be a multi-region key. If the KMS key I use needs to be multi-region, do I need to make a replica key for each additional region that my trail covers?

The docs say CloudTrail supports KMS multi-region keys, but the appropriate situation(s) to use MRKs w/ CloudTrail isn't straightforward. If I could get that far, then I do know that related MRKs do not share key policies and that I would need to define a specific policy for each should I need them.


Solution

  • It is not mandatory to use multi region keys with CloudTrail. When you configure a trail and want to encrypt the CloudTrail log files, you can use a single KMS key to encrypt the files. Just make sure the KMS key is in the same region as the S3 bucket where you're sending the log files to.