Getting Error 'The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access' while Validating Bucket Path in S3 Configuration during AWS Cloud Onboarding in Prisma Cloud
925
Created On 07/02/23 02:17 AM - Last Modified 05/30/25 17:20 PM
Symptom
- Getting following Error while Validating Bucket Path in S3 Configuration during AWS Cloud Onboarding in Prisma Cloud
Environment
- Prisma Cloud Enterprise Edition
- AWS
Cause
- Different KMS keys are used on Folders mentioned in the bucket path and one or more folders do not have permission for Logging role to access them
- One has created Folder1 for VPC-A inside S3 bucket 'bucket-XYZ'. Bucket is assigned SSE-KMS key 'Key-1' and Folder1 is assigned 'Key-2'.
- If Logging Role used by Prisma Cloud is missing the permission to access the Keys OR Logging role is not being added as 'Key User' on the AWS KMS(Any one side of permission is enough) then one might encounter this error.
Resolution
- Ensure All the KMS keys (that are used on the path's Folders) has Logging Role added
OR
- Logging Role template configured on AWS for Prisma Cloud will have all the Keys mentioned (separated by ,) for 'Decrypt' permission. One can test with * in the 'Resource' if unable to find keys used for Folders encryption.
If the above mentioned solutions do not help in resolving the errors, please contact Palo Alto Networks Technical Support