Permissions needed to copy trail events to a CloudTrail Lake


I'm getting this error when I try to copy CloudTrail events into my CloudTrail Lake:

"Access denied. Verify that the IAM role policy, S3 bucket policy, and KMS key policy have adequate permissions."

My CloudTrail S3 bucket was created by Control Tower and it is in a separate account than my organization's management account. My Lake was created in my management account.

I have already:

  1. Updated my bucket's ACL to allow my management account to List Objects and Read the Bucket ACL.
  2. Updated my bucket's resource-based policy to allow the role that CloudTrail will assume ("CloudTrailCopyRole") to perform the following actions: s3:ListBucket, s3:GetBucketAcl and s3:GetObject.
  3. The CloudTrailCopyRole role has an inline policy that allows it to perform s3:ListBucket, s3:GetBucketAcl and s3:GetObject on the bucket and the bucket's objects.

The bucket uses Amazon S3 managed keys (SSE-S3) to encrypt the objects. Are there any permissions that I need to assign to the CloudTrailCopyRole role to decrypt the bucket's objects?

I have worked through the documentation, but I cannot find any permissions that I am missing.

Are there any other permissions I need to assign or modifications I need to make?

Edit: I added the kms:Decrypt and kms:GenerateDataKey permissions to my CloudTrailCopyRole role and to my trail's KMS key.

I think the last issue might be related to the fact that the CloudTrail bucket's object ownership is set to "Object writer". The objects' ACLs don't allow my management account to access the objects.

  • Could you double-check that the resource names and Amazon Resource Names (ARNs) specified in your IAM policies are correct and match the actual resources. Ensure that the IAM role (CloudTrailCopyRole) has the necessary permissions to interact with AWS CloudTrail to read and copy the CloudTrail events. This might involve permissions like cloudtrail:LookupEvents, cloudtrail:DescribeTrails, and cloudtrail:GetEventSelectors.

    KMS Key Policy: Since your S3 bucket is encrypted with SSE-S3, there might be a KMS key policy attached to the KMS key used for encryption. Ensure that the CloudTrailCopyRole has the necessary permissions to decrypt objects using this KMS key. You may need to update the KMS key policy to grant decryption permissions to the CloudTrailCopyRole.

asked 3 months ago234 views
1 Answer

To resolve the "Access denied" error when copying CloudTrail events to a CloudTrail Lake, ensure the following:

  1. The CloudTrailCopyRole role should have s3:ListBucket, s3:GetBucketAcl, s3:GetObject, kms:Decrypt, and kms:GenerateDataKey permissions.
  2. Update the KMS key policy used for encrypting the S3 bucket to allow the CloudTrailCopyRole role to use kms:Decrypt and kms:GenerateDataKey.
  3. Change the object ownership in the S3 bucket settings from "Object writer" to "Bucket owner preferred" to ensure your management account can access the objects.

After applying these changes, try the copy operation again.

profile picture
answered 3 months ago
  • Hi Sedat, thank you for your answer. The problem seems to lie with the object ownership. However, to changing the the bucket's ownership settings won't change the ownership of the existing objects. Does that mean I now need to update the ownership of each of the millions of objects?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions