S3 Compliance Recording Export Dropping with KMS AccessDenied on EventBridge Trigger

Trying to push GDPR-compliant session recordings to a restricted S3 bucket using the admin console export settings. The pipeline’s working fine for standard buckets but it’s choking completely when KMS encryption is enforced. CloudFormation deployed the target bucket with aws:kms:Encrypt and aws:kms:Decrypt attached to the cross-account IAM role, yet the EventBridge rule keeps firing AccessDenied when the Lambda Data Action attempts the final PUT.

Console logs show the flow builder hitting the compliance tagging node, then the webhook drops. The SDK v2.8 client throws a 403 on the PUT /api/v2/recordings endpoint before the payload even leaves the Architect environment. IAM policy’s definitely got s3:PutObject scoped to arn:aws:s3:::gc-compliance-exports/*. Trust relationship looks correct.

{
 "error": "AccessDenied",
 "requestId": "7X9K2L...",
 "hostId": "vR3m... 

The KMS key policy allows genesyscloud-external-accounts.amazonaws.com as a principal, but the CloudTrail event logs show the request originating from lambda.amazonaws.com instead. EventBridge is routing the compliance flag to the wrong execution context. We’ve got the CloudFormation stack rolling out the SNS topic subscription by mistake instead of the direct EventBridge target, which probably explains why the consent token validation node keeps timing out. The admin UI calls it a consent token but the Architect documentation refers to it as a compliance flag, so I’m just passing both through the Lambda Data Action. Can’t figure out why the webhook payload keeps dropping the encryption context.

Architect flow uses a Lambda Data Action for the redaction step before export. The execution role has kms:GenerateDataKey but the CloudFormation template accidentally scoped it to the development account. Production stack is still pulling the old us-east-1 endpoint. Console doesn’t show anything on the recording retention settings page.

Type: AWS::Lambda::Function
Properties:
 Role: !GetAtt ComplianceExporterRole.Arn
 Handler: index.handler
 Runtime: nodejs18.x
 Environment:
 Variables:
 BUCKET_ARN: arn:aws:s3:::gc-compliance-exports
 KMS_KEY: arn:aws:kms:eu-central-1:112233445566:key/abc-123

The data action returns a 500 Internal Server Error on the /v2/integrations/data/actions call. KMS key rotation is enabled, which might be breaking the temporary credentials. S3 bucket policy explicitly denies unencrypted uploads, but the payload is already encrypted in transit. EventBridge rule ARN matches the console configuration. IAM role trust policy still references the old sts:AssumeRole condition.

Logs cut off right after the kms:Decrypt step fails. Architect flow hangs on the compliance validation node. CloudFormation drift detected on the execution role permissions.