From 1d716b6e0b9b6f41e38b1caac1fe83b184fd31c7 Mon Sep 17 00:00:00 2001
From: Sean Doughty <sean@render.com>
Date: Tue, 13 Jan 2026 11:14:09 -0500
Subject: [PATCH 1/2] document the rbac requirements for the API key

---
 README.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 93c2deb..8c642ed 100644
--- a/README.md
+++ b/README.md
@@ -15,7 +15,9 @@ Supports both workspace-level and organization-level (Enterprise) audit logs.
 ## Prerequisites
 
 - Render workspace on Organization or Enterprise plan
-- [Render API Key](https://dashboard.render.com/u/settings) (create from Account Settings)
+- [Render API Key](https://dashboard.render.com/u/settings) (create from Account Settings). The Render API key must be a User account which is:
+  - An Admin in every Workspace that will be tracked
+  - An Owner of the Oranization (Enterprise Plan)
 - Render Owner ID (`tea-xxx`) — workspace where the Cron Job will be deployed
 - [Terraform](https://www.terraform.io/downloads) >= 1.0
 - AWS account with permissions to create S3 buckets and IAM users

From c5bee60ebee718d5fe4c2da9f6e54bced051df76 Mon Sep 17 00:00:00 2001
From: Sean Doughty <sean@render.com>
Date: Tue, 13 Jan 2026 11:14:29 -0500
Subject: [PATCH 2/2] document the IAM requirements for the KMS policy

---
 README.md | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/README.md b/README.md
index 8c642ed..ceaab2a 100644
--- a/README.md
+++ b/README.md
@@ -85,6 +85,33 @@ terraform apply \
 | `render_cronjob_region`     | No       | `oregon`                     | Region to deploy the Cron Job                          |
 | `render_project_name`       | No       | `audit-logs`                 | Name of the Render project                             |
 
+*Note*: If you use a KMS key, confirm that the AWS IAM User is setup with the User Permissions for the key.
+
+Example:
+```
+{
+	"Version": "2012-10-17",
+	"Id": "default",
+	"Statement": [
+		{
+			"Sid": "Allow use of the key",
+			"Effect": "Allow",
+			"Principal": {
+				"AWS": "arn:aws:iam::12345:user/render-audit-log-processor"
+			},
+			"Action": [
+				"kms:Encrypt",
+				"kms:Decrypt",
+				"kms:ReEncrypt*",
+				"kms:GenerateDataKey*",
+				"kms:DescribeKey"
+			],
+			"Resource": "*"
+		}
+	]
+}
+```
+
 ## Architecture
 
 The Terraform configuration creates: