I was able to successfully read logs from an s3 bucket, with Splunk using AWS add-on configured with an account with a KeyID and Secret Key.
Recently the logs were encrypted via KMS. Now the logs are coming in garbled - because splunk cannot decrpyt.
I am unable to find clear documentation/steps to install the KMS key for splunk to decrypt the logs.
Any direction appreciated.
The IAM user/group or role you're using for collection needs permissions to decrypt using the key, specifically the "kms:Decrypt" action. This can be scoped to just the KMS key used on the bucket you're collecting from. An example policy document: