Skip to main content
Panther Knowledge Base

How do I resolve the error "failure to download encrypted files from S3" while ingesting CloudTrail logs in Panther?


I'm ingesting encrypted CloudTrail files into Panther, but I see errors such as access denied andFailure to download encrypted CloudTrail files from S3


To resolve this issue:

  • Ensure that you provided the KMS key during the initial log source setup.
  • Ensure that the IAM role Panther is using to read this data has permission to use the same KMS key that encrypted those files. 
    • Ensure that the Panther role has a policy that contains: 
          "Version": "2012-10-17",
          "Statement": {
              "Effect": "Allow",
              "Action": [
              "Resource": "kms-key-here"


This issue occurs when the KMS key is not entered on initial log source setup, or if the IAM Role's permissions to access the KMS key were somehow removed.