How do I resolve the error "failure to download encrypted files from S3" while ingesting CloudTrail logs in Panther?
Issue
I'm ingesting encrypted CloudTrail files into Panther, but I see errors such as access denied
andFailure
to download encrypted CloudTrail files from S3
Resolution
To resolve this issue:
- Ensure that you provided the KMS key during the initial log source setup.
- Ensure that the IAM role Panther is using to read this data has permission to use the same KMS key that encrypted those files.
- Ensure that the Panther role has a policy that contains:
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "kms:DescribeKey", "kms:GenerateDataKey", "kms:Decrypt" ], "Resource": "kms-key-here" } }
- Ensure that the Panther role has a policy that contains:
Cause
This issue occurs when the KMS key is not entered on initial log source setup, or if the IAM Role's permissions to access the KMS key were somehow removed.