In this article:

    Applicable to:

    • Connector: AWS S3 real-time connection logs
    • Terraform

    Overview

    When usingSSE-KMS, users configuring real time connection logs to AWS S3 buckets may see empty files, and receive repeated Your S3 sync is experiencing issues.

    Cause

    This is related to the use of SSE-KMSand per AWS documentation here:

    Where:

    "To successfully make a PutObject request to encrypt an object with an AWS KMS key to Amazon S3, you need kms:GenerateDataKey permissions on the key. To download an object encrypted with an AWS KMS key, you need kms:Decrypt permissions for the key. To perform a multipart upload to encrypt an object with an AWS KMS key, you must have the kms:GenerateDataKey and kms:Decrypt permissions for the key."

    Workaround

    Use SSE-S3, or to use SSE-KMS:

    Define GenerateDataKey and Decrypt kms keys, similar to:

    # apply kms:GenerateDataKey and kms:Decrypt
    statement {
    actions = [
    "kms:GenerateDataKey",
    "kms:Decrypt"
    ]
    resources = [
    aws_kms_key_this.arn
    ]
    }