Why do I receive "AccessDenied" errors from AWS Config in CloudTrail logs for the AWS KMS Decrypt API, and how can I avoid these notifications?

Last updated: 2020-01-31

Why do I receive AWS CloudTrail "AccessDenied" errors for the AWS Key Management Service (AWS KMS) Decrypt API related to the AWS Config service?

Short Description

The AWS Config configuration recorder records changes for all supported resource types in the same Region that AWS Config is running, including the AWS Lambda function resource type. However, when AWS Config tracks configuration changes to Lambda functions with environmental variables encrypted with AWS KMS customer managed keys (CMK), it requires access to the CMK to decrypt these variables.

Note: The configuration recorder tracks all changes to Lambda functions, except for environmental variables associated with it.

The AWS Identity and Access Management (IAM) role assigned with the configuration recorder has read-only permissions for these Lambda functions:


Because AWS Config doesn't have permission to use the CMK for cryptographic operations, it fails to call the Decrypt API. An "AccessDenied" error logs in AWS CloudTrail logs.

If you configured a CloudTrail trail to send logs to an Amazon CloudWatch log group and configured CloudWatch alarms for the Unauthorized or AccessDenied API calls, you receive an "AccessDenied" error. For more information, see Example: Authorization Failures.


You can use a CloudWatch log filter pattern to filter out the "AccessDenied" notifications related to the Decrypt API invoked by AWS Config.

1.    Open the CloudWatch console, and choose Log groups.

2.    In the contents pane, in the Metric Filter column, choose the metric filter.

3.    Choose the edit icon for the filter name used for authorization API call failures.

4.    In Filter Pattern, remove the following filter:

{($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*")}

5.    In Filter Pattern, copy and paste the following example syntax, choose Assign Metric, and then choose Save Filter.

{($.errorCode = "*UnauthorizedOperation" || $.errorCode = "AccessDenied*") && ($.eventName != "Decrypt" || ($.userIdentity.invokedBy != "config.amazonaws.com"))}

The CloudWatch alarm monitoring clears and you no longer receive notifications for the "AccessDenied" error related to the Decrypt API invoked by AWS Config.

Note: The "AccessDenied" error logs continue to store in your CloudTrail logs and can be safely ignored.

Did this article help you?

Anything we could improve?

Need more help?