Skip to main content
Panther Knowledge Base

Why does my Guard Duty log source in say it cannot access a log file in Panther?

ISSUE

My GuardDuty log source gives an error stating it cannot access a log file.

RESOLUTION

To resolve this issue, try one of the following:

  • Edit the log source, add the KMS key, download the new CFN template and deploy it.
  • Manually edit the source's IAM role and give it the following permissions:
    - Effect: Allow
      Action:
       - kms:Decrypt
       - kms:DescribeKey
        Resource: <kms-key-arn>

For more information, see this AWS reference on GuardDuty.

CAUSE

Possible reasons the Guard Duty log source may have issues:

  1. The IAM Role had permissions to access the KMS key and it was somehow removed
  2. There wasn't any GuardDuty data sent that was encrypted with this KMS key. Perhaps the source was configured to receive different types of AWS data eg CloudTrail, Vpc Flow logs etc so there is activity in that log source but no activity from GuardDuty encrypted files.
  • Was this article helpful?