This check is to verify the CloudTrail logs within CloudTrail buckets are encrypted using KMS encryption keys.
This behavior is typically caused by our AWS Best Practices governance policy in the following block:
The way this is tested is by our role trying to gain unencrypted access to these logs without a KMS key. If we are able to access the logs without a key, that indicates the logs are not encrypted and we alert you about this security issue.
When we make the attempt to access an encrypted log, an entry is logged indicating there was a failed attempt to decrypt the KMS key on that bucket. That occurs because we are testing this bucket every time the policy is fired.
You can disable this block from running, which will stop the KMS decrypt messages from occurring, but you also will no longer be checking your CloudTrail buckets to verify encryption is enabled on the logs.