Skip to main content
Panther Knowledge Base

How do I resolve the error "failure to download encrypted files from S3" while ingesting CloudTrail logs in Panther?

  1. Last updated
  2. Save as PDF

Issue

I'm ingesting encrypted CloudTrail files into Panther, but I see errors such as access denied andFailure to download encrypted CloudTrail files from S3

Resolution

To resolve this issue:

  • Ensure that you provided the KMS key during the initial log source setup.
  • Ensure that the IAM role Panther is using to read this data has permission to use the same KMS key that encrypted those files. 
    • Ensure that the Panther role has a policy that contains:  
      {
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": [
            "kms:DescribeKey",
            "kms:GenerateDataKey",
            "kms:Decrypt"
        ],
        "Resource": "kms-key-here"
    }
}

Cause

This issue occurs when the KMS key is not entered on initial log source setup, or if the IAM Role's permissions to access the KMS key were somehow removed.