If your CloudTrail bucket uses Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS) or you plan to add SSE-KMS encryption to a Lacework-created bucket, you must grant decrypt permission to Lacework.
If using the Lacework CloudFormation template, you must edit the inline policy LaceworkCWSPolicy within the account_name-laceworkcwssarolea role. To allow Lacework to decrypt your CloudTrail logs, add the following term to the policy:
{
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:<region>:<account>:key/<key_identifier>"
],
"Effect": "Allow",
"Sid": "DecryptLogFiles"
},
To make the policy easily readable, Lacework recommends that you add the term directly below the ReadLogFiles term as follows:
{
"Action": [
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::<bucket_name>/*AWSLogs/*"
],
"Effect": "Allow",
"Sid": "ReadLogFiles"
},
{
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:<region>:<account>:key/<key_identifier>"
],
"Effect": "Allow",
"Sid": "DecryptLogFiles"
},
If you have manually integrated Lacework, you must add the DecrpytLogFiles term to the role/policy that you created for Lacework.
Without decrypt permission, you will see Access Denied decryption errors in the API Error Information table in the CloudTrail dossier. After the change, the errors should stop. If you continue to see errors, contact Lacework support.