Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Why do cross-account users receive Access Denied errors when they access my Amazon S3 objects that I encrypted with an AWS KMS customer managed key?

4 minute read
2

I want to resolve "Access Denied" errors that users receive when they access my Amazon Simple Storage Service (Amazon S3) bucket from another AWS account. I encrypt my Amazon S3 bucket with an AWS Key Management Service (AWS KMS) customer managed key.

Short description

Note: The following resolutions apply only to Amazon S3 directory buckets and general purpose buckets.

To grant access to an AWS KMS encrypted bucket in Account A to a user in Account B, apply the following permissions:

  • The Amazon S3 bucket policy in Account A must grant access to Account B.
  • The AWS managed AWS KMS key in Account A must be located in the same AWS Region as the Amazon S3 bucket in Account A.
  • The AWS KMS key policy in Account A must grant access to the user in Account B.
  • The AWS Identity and Access Management (IAM) policy in Account B must grant the user access to both the bucket and the AWS KMS key in Account A.

To troubleshoot the Access Denied error, verify that you configured the previous permissions correctly.

Important: For AWS KMS customer managed key policies, you can change the AWS KMS key policy only from the account that created the policy.

You must use a fully qualified AWS KMS key Amazon Resource Name (ARN) for the bucket encryption setting. If you use an AWS KMS key alias, then AWS KMS resolves the AWS KMS key only for the account that owns the bucket.

The following example AWS KMS key ARN is fully qualified for bucket encryption:

arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

However, the following example AWS KMS key ARN isn't qualified for bucket encryption:

arn:aws:kms:us-west-2:111122223333:alias/alias-name

Resolution

Configure the bucket policy in Account A to grant access to the user in Account B

From Account A, review the bucket policy. Confirm that a statement allows access from the account ID of Account B.
The following example bucket policy allows s3:GetObject access to the account ID 111122223333:

{  "Id": "ExamplePolicy1",  
  "Version": "2012-10-17",  
  "Statement": [  
    {  
      "Sid": "ExampleStmt1",  
      "Action": [  
        "s3:GetObject"  
      ],  
      "Effect": "Allow",  
      "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",  
      "Principal": {  
        "AWS": [  
          "111122223333"  
        ]  
      }  
    }  
  ]  
}

Configure the AWS KMS key policy in Account A to grant access to the user in Account B

The AWS KMS key policy must grant the user in Account B permissions to use the kms:Decrypt action.

the following example policy grants AWS KMS key access to only one IAM user or role:

{    "Sid": "Allow use of the key",  
    "Effect": "Allow",  
    "Principal": {  
        "AWS": [  
            "arn:aws:iam::111122223333:role/role_name"  
        ]  
    },  
    "Action": [  
        "kms:Decrypt"  
    ],  
    "Resource": "*"  
}

From Account A, use the AWS Management Console policy view to review the AWS KMS key policy. In the AWS KMS key policy, find the statement "Sid": "Allow use of the key". Then, confirm that you listed the user in Account B as a principal in that statement.If you don't see "Sid": "Allow use of the key", then use the AWS Management Console default view to review the AWS KMS key policy. Then, add Account B's account ID as an external account that has access to the AWS KMS key.

Configure the IAM user policy in Account B to grant the user access to the Amazon S3 bucket and key in Account A

From Account B, complete the following steps:

  1. Open the IAM console.
  2. Open the IAM user or role that's associated with the user in Account B.
  3. Review the list of permissions policies that you applied to the IAM user or role.
  4. Verify that your applied policies grant access to both the bucket and AWS KMS key.
    Note: If the IAM user or role in Account B already has administrator access, then you don't need to grant access to the AWS KMS key. The following example policy grants the IAM user in Account B access to objects and the AWS KMS key to decrypt objects in a bucket: 
    {    "Version": "2012-10-17",  
    "Statement": [{  
            "Sid": "ExampleStmt1",  
            "Action": [  
                "s3:GetObject"  
            ],  
            "Effect": "Allow",  
            "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"  
        },  
        {  
            "Sid": "ExampleStmt2",  
            "Action": [  
                "kms:Decrypt"  
            ],  
            "Effect": "Allow",  
            "Resource": "arn:aws:kms:us-west-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab"  
        }  
    ]  
}

For more information about how to add or correct the IAM user's permissions, see Changing permissions for an IAM user.

Related information

AWS Policy Generator

Topics
Storage
Tags
Amazon Simple Storage Service
Language
English

Related videos

Watch Abhinav’s video to learn more (3:23)
Watch Abhinav’s video to learn more (3:23)
AWS OFFICIALUpdated 4 months ago
3 Comments

this doc helps for fixing my encryption issue.

replied 3 years ago

Consider checking the ACL setup of the bucket as well as ACL rules may interfere with Bucket policies. If possible, disabling ACLs provides the most predictable results and will simplify support in the long term.

replied 2 years ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

AWS
MODERATOR
replied 2 years ago

Relevant content