How do I resolve the error "failure to download encrypted files from S3" while ingesting CloudTrail logs in Panther?

Issue

I'm ingesting encrypted CloudTrail files into Panther, but I see errors such as access denied andFailureto download encrypted CloudTrail files from S3

Resolution

To resolve this issue:

• Ensure that you provided the KMS key during the initial log source setup.

• Ensure that the IAM role Panther is using to read this data has permission to use the same KMS key that encrypted those files. 

  • Ensure that the Panther role has a policy that contains: 

    {
        "Version": "2012-10-17",
        "Statement": {
            "Effect": "Allow",
            "Action": [
                "kms:DescribeKey",
                "kms:GenerateDataKey",
                "kms:Decrypt"
            ],
            "Resource": "kms-key-here"
        }
    }

Cause

This issue occurs when the KMS key is not entered on initial log source setup, or if the IAM Role's permissions to access the KMS key were somehow removed.