If your CloudTrail bucket uses Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS) or you plan to add SSE-KMS encryption to a Lacework-created bucket, you must grant decrypt permission to Lacework.
If using the Lacework CloudFormation template, you must edit the inline policy LaceworkCWSPolicy within the YourAccount-laceworkcwssarolea role. To allow Lacework to decrypt your CloudTrail logs, add the following term to the policy:
{
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:YourRegion:YourAccount:key/YourKeyIdentifier"
],
"Effect": "Allow",
"Sid": "DecryptLogFiles"
},
Replace YourRegion and YourAccount with your values, or simply copy the key's entire ARN.
To make the policy easily readable, Lacework recommends that you add the term directly below the ReadLogFiles term as follows:
{
"Action": [
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::YourBucketName/*AWSLogs/*"
],
"Effect": "Allow",
"Sid": "ReadLogFiles"
},
{
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:YourRegion:YourAccount:key/YourKeyIdentifier"
],
"Effect": "Allow",
"Sid": "DecryptLogFiles"
},
Replace YourBucketName, YourRegion, YourAccount, and YourKeyIdentifier with your values.
If you have manually integrated Lacework, you must add the DecryptLogFiles term to the role/policy that you created for Lacework.
You will also need to make sure that the Role used by Lacework has "kms:decrypt" access within the Key Policy.
Without decrypt permission, you will see Access Denied decryption errors in the API Error Information table in the CloudTrail dossier. After the change, the errors should stop. If you continue to see errors, contact Lacework support.