Posted On: Dec 8, 2017

Amazon CloudWatch today announces KMS support for CloudWatch Logs. You can now encrypt your logs using keys managed through AWS Key Management Service (KMS) and customer master key (CMK).

Encryption is enabled at the log group level, by associating a CMK with a log group, either when you create the log group or after it exists. After you associate a CMK with a log group, all newly ingested data for the log group is encrypted using the CMK. This data is stored in encrypted format throughout its retention period. CloudWatch Logs decrypts this data upon request.  

KMS support for CloudWatch Logs is available in all AWS Public Regions. For more information, see documentation.