I'm ingesting encrypted CloudTrail files into Panther, but I see errors such as access denied
andFailureto download encrypted CloudTrail files from S3
To resolve this issue:
Ensure that you provided the KMS key during the initial log source setup.
Ensure that the IAM role Panther is using to read this data has permission to use the same KMS key that encrypted those files.
Ensure that the Panther role has a policy that contains:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": "kms-key-here"
}
}
This issue occurs when the KMS key is not entered on initial log source setup, or if the IAM Role's permissions to access the KMS key were somehow removed.