- Newest
- Most votes
- Most comments
Yes, when the objects in S3 are encrypted with SSE-KMS, each object will have to be decrypted whenever its contents are accessed.
If you've enabled the bucket key option for SSE-KMS and you access multiple objects encrypted with the same bucket key within a short period of time, S3 will attempt to have KMS decrypt the bucket key once and reuse it to decrypt multiple object keys within the brief period of time that the decrypted bucket key is retained by S3, without calling KMS repeatedly. The exact behaviour will depend on timing and other variables, so whether the number of calls to KMS for a given query will be one or three, for example, won't be completely predictable.
Hello,
IF you suspect issues with KMS Decrypt calls or Glue catalog access, here are some troubleshooting steps: CloudTrail Logs: Enable CloudTrail logging for the KMS key and Glue service in both accounts. This will provide detailed information on KMS API calls (including Decrypt) and Glue catalog interactions.
**VPC Flow Logs: **If applicable, consider enabling VPC Flow Logs to monitor network traffic between your Glue ETL environment and the S3 buckets. This can help identify potential network bottlenecks.
Amazon CloudWatch Metrics: Monitor relevant CloudWatch metrics, such as KMSDecryptionErrors and GlueCatalogGetTableErrors, to identify any errors or performance issues.
Glue Job Logs: Review Glue job logs for any warnings or errors that might indicate decryption problems.
Hello
check these to resolve the issue:
- Check IAM Permissions:
Verify that the role used in the source account has the necessary permissions to access the Glue catalog and S3 objects in the destination account. Use IAM policy simulator to validate permissions.
- Verify KMS Key Access:
Ensure the role in the source account has proper access (Decrypt) to the customer-managed KMS key used for S3 encryption in the destination account.
- Monitor KMS Decrypt Calls:
Use AWS CloudTrail to monitor KMS Decrypt calls during your cross-account Glue queries. This helps identify if Decrypt is being called excessively.
- Analyze Query Efficiency:
Review your Glue query and see if it retrieves unnecessary data. Consider filtering or projecting specific columns to reduce the number of objects accessed.
Relevant content
- asked 4 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 9 months ago