...
* If the S3 bucket is encrypted, please grant Cloudaware read accessdecrypt permissions. You can create a custom policy for the existing Cloudaware role or the AWS account where the S3 bucket with logs is stored. Below is an example of a bucket policy that grants read access to encryption keys, in addition to list* and get* permissions:
...