Posted On: Jul 28, 2021

Today, we are announcing new functionality in AWS Control Tower that provides you the option to use a single customer provided AWS Key Management Service (AWS KMS) key to secure the AWS Control Tower deployed services (AWS CloudTrail, AWS Config) and the associated AWS S3 data. The use of AWS KMS encryption gives you enhanced encryption over the default SSE-S3 encryption used by AWS Control Tower.

The integration of AWS KMS support into AWS Control Tower aligns with the AWS Foundational Security Best Practices that recommend for an added layer of security for your sensitive log files, you should use AWS KMS–managed keys (SSE-KMS) for encryption at rest. AWS KMS encryption support is available when you set up a new landing zone or update your existing AWS Control Tower landing zone.

To configure this functionality, you can select KMS Key Configuration during your initial landing zone setup or you can perform a landing zone update to access this selection for an existing AWS Control Tower landing zone. You will be able to choose your customer managed KMS key if one already exists or click on a button that will direct you to the AWS KMS console to create a new one. You will also have the flexibility to easily change from default encryption to SSE-KMS or to different SSE-KMS key.

For a full list of regions where AWS Control Tower is available, see the AWS Region Table. To learn more, visit the AWS Control Tower homepage or see the AWS Control Tower User Guide.