AWS KMS policy

AWS KMS policy

146
Created On 10/02/25 17:43 PM - Last Modified 10/02/25 19:52 PM


Symptom


  • The customer saw AccessDenied and kms:Decrypt errors in their AWS S3 data source.

Environment


  • XSIAM
  • AWS

Cause


  • AWS CloudTrail logs are encrypted using the customer's KMS policy.

Resolution


The customer needed to place a kms:decrypt policy into their user's role to decrypt the logs from s3.

 

example:

{

"Version":"2012-10-17",

"Statement": {

"Effect": "Allow",

"Action":

[

"kms:Encrypt",

"kms:Decrypt"

],

"Resource": "arn:aws:kms:*:111122223333:key/*"

}

}



Additional Information


AWS CloudTrail ref: https://docs.aws.amazon.com/prescriptive-guidance/latest/encryption-best-practices/cloudtrail.html

KMS Policy ref: https://docs.aws.amazon.com/kms/latest/developerguide/customer-managed-policies.html
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000fyGQKAY&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail