Why does my Guard Duty log source in say it cannot access a log file in Panther?
My GuardDuty log source gives an error stating it cannot access a log file.
To resolve this issue, try one of the following:
- Edit the log source, add the KMS key, download the new CFN template and deploy it.
- Manually edit the source's IAM role and give it the following permissions:
- Effect: Allow Action: - kms:Decrypt - kms:DescribeKey Resource: <kms-key-arn>
For more information, see this AWS reference on GuardDuty.
Possible reasons the Guard Duty log source may have issues:
- The IAM Role had permissions to access the KMS key and it was somehow removed
- There wasn't any GuardDuty data sent that was encrypted with this KMS key. Perhaps the source was configured to receive different types of AWS data eg CloudTrail, Vpc Flow logs etc so there is activity in that log source but no activity from GuardDuty encrypted files.