Skip to main content
Panther Knowledge Base

How do I resolve the error "failure to download encrypted files from S3" while ingesting CloudTrail logs in Panther?

Issue

I'm ingesting encrypted CloudTrail files into Panther, but I see errors such as access denied andFailure to download encrypted CloudTrail files from S3

Resolution

To resolve this issue:

  • Ensure that you provided the KMS key during the initial log source setup.
  • Ensure that the IAM role Panther is using to read this data has permission to use the same KMS key that encrypted those files. 
    • Ensure that the Panther role has a policy that contains: 
      {
          "Version": "2012-10-17",
          "Statement": {
              "Effect": "Allow",
              "Action": [
                  "kms:DescribeKey",
                  "kms:GenerateDataKey",
                  "kms:Decrypt"
              ],
              "Resource": "kms-key-here"
          }
      }

Cause

This issue occurs when the KMS key is not entered on initial log source setup, or if the IAM Role's permissions to access the KMS key were somehow removed.

 

 

  • Was this article helpful?