I created a new S3 log source to ingest logs in my Panther Console. My log source does not use a KMS key. However, I get an error message in the Health tab of my log source, saying:
error:failed to read line: s3manager download failed: AccessDenied: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.
The S3 bucket is not encrypted, so there is no KMS key associated.
Individual S3 objects can be encrypted, even if the bucket is not. For example, GuardDuty requires objects to be encrypted.
To fix this, give the Panther processing role permissions to the KMS key used by these objects. Follow the instructions in Panther's S3 documentation here.
This issue occurs when the log source does not have a KMS key, but the individual S3 objects are encrypted, such as GuardDuty logs.