I'm using Kinesis firehose to stream log data from Cloudwatch to AWS S3. The files are encrypted by kinesis data delivery stream with sse kms then stored in S3. However files are greater than 4kb, so i assume kinesis is using envelope encryption with a data key; After this, i downloaded the data form s3 with: aws s3api get-object or aws s3 cp and tried to decrypt it with: \

aws kms decrypt --ciphertext-blob fileb://encryptedData --output text
--query Plaintext | base64 --decode > ExamplePlaintextFile

and got the error:

An error occurred (413) when calling the Decrypt operation: HTTP content length exceeded 200000 bytes.

When looking to Cloudtrail I can see the GenerateDataKey made by Kinesis. The question is where is that data key and how can i got my file decrypted. Did anyone faced this ?
Thank you !