If your CloudTrail bucket uses Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS) or you plan to add SSE-KMS encryption to a Lacework-created bucket, you must grant decrypt permission to Lacework.
If using the Lacework CloudFormation template, you must edit the inline policy LaceworkCWSPolicy within the account_name-laceworkcwssarolea role. To allow Lacework to decrypt your CloudTrail logs, add the following term to the policy:
{
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:YourRegion:YourAccount:key/YourKeyIdentifier"
],
"Effect": "Allow",
"Sid": "DecryptLogFiles"
},
Replace YourRegion and YourAccount with your values.
To make the policy easily readable, Lacework recommends that you add the term directly below the ReadLogFiles term as follows:
{
"Action": [
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::YourBucketName/*AWSLogs/*"
],
"Effect": "Allow",
"Sid": "ReadLogFiles"
},
{
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:YourRegion:YourAccount:key/YourKeyIdentifier"
],
"Effect": "Allow",
"Sid": "DecryptLogFiles"
},
Replace YourBucketName, YourRegion, YourAccount, and YourKeyIdentifier with your values.
If you have manually integrated Lacework, you must add the DecrpytLogFiles term to the role/policy that you created for Lacework.
Without decrypt permission, you will see Access Denied decryption errors in the API Error Information table in the CloudTrail dossier. After the change, the errors should stop. If you continue to see errors, contact Lacework support.