Support OpenSearch encrypted with Custom KMS (CMK) key

[wchaws]

trafficstars

Describe the bug

Can not see any log if opensearch cmk enabled

In helper lambda logs:

[ERROR]    2023-07-25T04:59:46.965Z    25573a91-478a-4d82-96ee-c13144e24d27    An error occurred (ValidationException) when calling the UpdateElasticsearchDomainConfig operation: Error in Accessing KmsKeyID with details:User: arn:aws:sts::**********:assumed-role/CL-Pipe-7c6247c1-InitStackOpenSearchHelperRole046A-1NRFHEUW934UB/CL-Pipe-7c6247c1-OpenSearchHelperFn-6PdFQsjYjcbf is not authorized to perform: kms:DescribeKey on resource: arn:aws:kms:ap-southeast-1:**********:key/bbd26e05-7020-4076-bb1b-55ccc064d351 because no identity-based policy allows the kms:DescribeKey action (Service: AWSKMS; Status Code: 400; Error Code: AccessDeniedException; Request ID: 62788aa9-e5dc-4221-b4b4-e8d44b241bd3; Proxy: null)

Expected Behavior

opensearch contains lambda logs and dashboards

Current Behavior

no logs and dashboards

Reproduction Steps

1. create an opensearch cluster with cmk enabled.
2. create lambda service log pipeline.
3. check if the opensearch has any log data.

Possible Solution

No response

Additional Information/Context

No response

Solution Version

v1.0.3

AWS Region. e.g., us-east-1

No response

Other information

No response

[wchaws]

The issue is caused by enabling OpenSearch for a CMK, but the log processor lambda does not have permission to access that CMK. To resolve this, you can manually add the 'kms:DescribeKey' permission to the lambda role.