Status: IN
If CloudTrail Lake event data stores are KMS-encrypted, the KMS key policy must grant `kms:Decrypt` to the `cloudtrail.amazonaws.com` service principal for dashboards to function.
Source: entries/2026/03/12/awscloudtrail-latest-userguide-lake-dashboardhtml.md