A security engineer is implementing a logging solution for a company's AWS environment. The security engineer has configured an AWS CloudTrail trail in the company's AWS account. The logs are stored in an Amazon S3 bucket for a third-party service provider to monitor. The service provider has a designated 1AM role to access the S3 bucket.

The company requires all logs to be encrypted at rest with a customer managed key. The security engineer uses AWS Key Management Service (AWS KMS) lo create the customer managed key and key policy. The security engineer also configures CloudTrail to use the key to encrypt the trail.

When the security engineer implements this configuration, the service provider no longer can read the logs.

What should the security engineer do to allow the service provider to read the logs?