AWS – Support for KMS encryption on S3 buckets used by AWS Config
AWS Config now supports the ability to use an AWS Key Management Service (KMS) key or alias Amazon Resource Name (ARN) that you provide, to encrypt the data delivered to your Amazon Simple Storage Service (S3) bucket. By default, AWS Config delivers configuration history and snapshot files to your S3 bucket and encrypts the data at rest using S3 AES-256 server-side encryption, SSE-S3. With this release, if you provide AWS Config with your KMS key or alias ARN, AWS Config will use that KMS key instead of using AES-256 encryption.
Read More for the details.