S3 Server Access Logging - Cross-Account for encrypted objects


Dear community,

Requesting your support.

**Situation: **

  • We do have a multi-account setup with a centralized logging account
  • We need to write S3 Server Access Logs from a decentral Account D to the central Account C
  • Objects in decentral Accound D are encrypted - this must be Amazon Managed Key because S3 Server Access Logs are not compatible with Customer Managed Keys acc. to AWS documentation
  • Unfortunately Amazon Managed Keys cannot be shared cross-account, because one cannot define its policies

**Target: **

  • We want to decrypt the files in decentral Account D using its Amazon Managed Key and write S3 Server Access Logs in a dedicated bucket in same account
  • Then we replicate objects to Central Account C, and reencrypt with a Customer Managed Key from Central Account C - this seems technically not possible

**Error Message: **
"You don’t have permission to get the server-side encryption settings After you or your AWS administrator has updated your permissions to allow the s3:GetObject action, refresh the page. "

Any ideas?
(update: I added a comment below with additional context - see my response to Osvaldo)

2 Answers
Accepted Answer

Update: I was able to fix it myself.

Root cause: The Replication Destination was misconfigured. Using Terraform the destination bucket was set up as if in the same account. Changing the Replication Destination to "specify a bucket in another account" fixed the issue. This is still strange, because object were replicated using the "choose bucket in this account" using a bucket name from a different account. However, it is fixed. Thanks for your help!

Additional note: You can simply keep the Amazon Managed Key setting for encryption. Using the option "change object ownership to destination bucket owner" uses the destination Amazon Managed Key. No need to use Customer Managed Key in this case.

answered 2 months ago
profile picture
reviewed a month ago

To replicate S3 Server Access Logs from Account D to Account C with encryption requirements, follow these steps:

  1. In Account D:

    • Enable S3 Server Access Logging to a specific bucket.
    • Set a bucket policy allowing cross-account access from Account C for s3:GetObject and s3:ReplicateObject.
  2. In Account C:

    • Create a Customer Managed Key (CMK) in KMS for encryption.
    • Configure S3 replication to copy logs from Account D to C, encrypting with the CMK in Account C.
    • Create an IAM role with permissions for replication and encryption (s3:ReplicateObject, s3:ReplicateDelete, kms:Encrypt), accessible by Account D.
  3. Troubleshooting:

    • Ensure roles/users in both accounts have the necessary permissions (s3:GetObject, kms:Decrypt, s3:GetEncryptionConfiguration).
profile picture
answered 2 months ago
  • Hi Osvaldo,

    If I understand you correct, you want to set up replication INSIDE the central Account C, which is technically not possible from what I see. You can set up a replication rule only from inside an S3 bucket. This S3 bucket is always the source of the replication.

    It is only possible to initiate the replication from the decentral Account D.

    Summarizing my situation in other words following your schema:

    In Account D:

    • In this account we have our source bucket 1
    • We also have specific bucket 2 which is used for S3 server access logs - all objects inside are encrypted using Amazon Managed Keys
    • FROM bucket 2, we initiate replication
    • In replication settings, we chose to change the key to a Customer Managed Key from Account C

    In Account C:

    • In this account we have the destination bucket 3 for Server Access Logs
    • We receive replicated log files here. However I cannot download or open the objects. It seems they are still encrypted with the Amazon Managed Key from Account D.

    Error Message (when opening a replicated object, under "server-side encryption settings": "You don’t have permission to get the server-side encryption settings After you or your AWS administrator has updated your permissions to allow the s3:GetObject action, refresh the page. " Error Message (opening the object): "Access Denied"

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions