diff --git a/infrastructure/cloudtrail.tf b/infrastructure/cloudtrail.tf
index acfdbcbb2..9c0359f5a 100644
--- a/infrastructure/cloudtrail.tf
+++ b/infrastructure/cloudtrail.tf
@@ -2,6 +2,7 @@
 resource "aws_cloudtrail" "all-events" {
   name                       = "all-events"
   s3_bucket_name             = var.cloudtrail_bucket_name
+  kms_key_id                 = aws_kms_key.key.arn
   cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.cloudtrail.arn}:*"
   cloud_watch_logs_role_arn  = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.cloudtrail_role_name}"
   tags = {
@@ -71,24 +72,22 @@ resource "aws_s3_bucket_policy" "cloudtrail_bucket" {
 }
 
 resource "aws_iam_role" "cloudtrail_role" {
-  name               = var.cloudtrail_role_name
-  assume_role_policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Action": "sts:AssumeRole",
-      "Principal": {
-        "Service": [
-          "cloudtrail.amazonaws.com"
-        ]
-      },
-      "Effect": "Allow",
-      "Sid": ""
-    }
-  ]
-}
-EOF
+  name = var.cloudtrail_role_name
+  assume_role_policy = jsonencode({
+    Version : "2012-10-17",
+    Statement : [
+      {
+        Action : "sts:AssumeRole",
+        Principal : {
+          Service : [
+            "cloudtrail.amazonaws.com"
+          ]
+        },
+        Effect : "Allow",
+        Sid : "CloudTrailServiceRole"
+      }
+    ]
+  })
   tags = {
     Project = var.project
     Stage   = var.stage
@@ -104,7 +103,7 @@ data "template_file" "cloudtrail_bucket_policy" {
 }
 
 # Attach policies to the IAM role allowing access to the S3 bucket and Cloudwatch
-resource "aws_iam_role_policy" "cloudtrail_policy" {
+resource "aws_iam_role_policy" "cloudtrail_s3_policy" {
   name_prefix = "crossfeed-cloudtrail-s3-${var.stage}"
   role        = aws_iam_role.cloudtrail_role.id
   policy = jsonencode({
@@ -139,4 +138,21 @@ resource "aws_iam_role_policy" "cloudtrail_cloudwatch_policy" {
       Resource = "arn:aws:logs:*"
     }]
   })
+}
+
+resource "aws_iam_role_policy" "cloudtrail_kms_policy" {
+  name_prefix = "crossfeed-cloudtrail-kms-${var.stage}"
+  role        = aws_iam_role.cloudtrail_role.id
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [{
+      Action = [
+        "kms:GenerateDataKey*",
+        "kms:Decrypt*",
+        "kms:DescribeKey"
+      ],
+      Effect   = "Allow",
+      Resource = aws_kms_key.key.arn
+    }]
+  })
 }
\ No newline at end of file