What is the MOST likely cause?
The log files fail integrity validation and automatically are marked as unavailable.
The KMS key policy does not grant the Security Engineer’s IAM user or role permissions to decrypt with it.
The bucket is set up to use server-side encryption with Amazon S3-managed keys (SSE-S3) as the default and does not allow SSE-KMS-encrypted files.
An IAM policy applicable to the Security Engineer’s IAM user or role denies access to the “CloudTrail/” prefix in the Amazon S3 bucket.
Explanations:
If the log files failed integrity validation, they would be marked as unavailable, but this would prevent access to the digest files, not the log files themselves.
If the KMS key policy does not grant the required decryption permissions to the Security Engineer’s IAM user or role, they would not be able to decrypt the log files, making them unreadable.
If the bucket were using SSE-S3 by default, it would not affect files encrypted with SSE-KMS. This would not explain the inability to read the SSE-KMS encrypted log files.
An IAM policy denying access to the “CloudTrail/” prefix would prevent both the digest and log files from being accessed, not just the log files. This is not the most likely cause of the issue.
I chart that the answer is:
The KMS key policy does not grant the Security Engineer’s IAM user or role permissions to decrypt with it.
I arrange that the answer is:
The KMS key policy does not grant the Security Engineer’s IAM user or role permissions to decrypt with it.