If your CloudTrail bucket uses Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS) or you plan to add SSE-KMS encryption to a Lacework-created bucket, you must grant decrypt permission to Lacework.
If using the Lacework CloudFormation template, edit the inline policy LaceworkCWSPolicy within the YourAccount-laceworkcwssarolea role. To allow Lacework to decrypt your CloudTrail logs, add the following term to the policy:
{
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:YourRegion:YourAccount:key/YourKeyIdentifier"
],
"Effect": "Allow",
"Sid": "DecryptLogFiles"
},
Replace YourRegion and YourAccount with your values, or simply copy the key's entire ARN.
To make the policy easily readable, Lacework recommends that you add the term directly below the ReadLogFiles term as follows:
{
"Action": [
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::YourBucketName/*AWSLogs/*"
],
"Effect": "Allow",
"Sid": "ReadLogFiles"
},
{
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:YourRegion:YourAccount:key/YourKeyIdentifier"
],
"Effect": "Allow",
"Sid": "DecryptLogFiles"
},
Replace YourBucketName, YourRegion, YourAccount, and YourKeyIdentifier with your values.
If you manually integrated Lacework, add the DecryptLogFiles term to the role/policy that you created for Lacework.
Ensure that the Role used by Lacework has "kms:decrypt" access within the Key Policy. For details, see Key policies in AWS KMS.
Without decrypt permission, you will see Access Denied decryption errors in the API Error Information table in the CloudTrail dossier. After the change, the errors should stop. If you continue to see errors, contact Lacework support.