{"id":"cloudtrail-lake-kms-decrypt-for-encrypted-eds","text":"If CloudTrail Lake event data stores are KMS-encrypted, the KMS key policy must grant `kms:Decrypt` to the `cloudtrail.amazonaws.com` service principal for dashboards to function.","truth_value":"IN","source":"entries/2026/03/12/awscloudtrail-latest-userguide-lake-dashboardhtml.md","source_url":"","source_hash":"be14a24ef79791f6","justifications":[],"dependents":[],"metadata":{},"explanation":{"steps":[{"node":"cloudtrail-lake-kms-decrypt-for-encrypted-eds","truth_value":"IN","reason":"premise"}]}}