...
* If the S3 bucket is encrypted, please grant Cloudaware decrypt permissions. You can create a custom policy for the existing Cloudaware role or on the AWS account where the S3 bucket with logs is storedaccount level. Below is an example of a custom policy applied to the Cloudaware role at the account level, where the log bucket is located. In addition to the necessary list* and get* permissions to the bucket, the policy grants decrypt permissions:
...