Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Access Denied: KMS policy to access AWS Control Tower central log archive bucket from another account?

0

Hi all

I’m trying to access the AWS Control Tower central log archive bucket in the LogArchive account from a Lambda function running in another account. The bucket is encrypted with an SSE-S3 key, so I initially used the following policy for the Lambda function’s role:

{
	"Action": [
		"s3:GetObject",
		"s3:PutObject",
		"s3:PutObjectAcl"
	],
	"Effect": "Allow",
	"Resource": "arn:aws-us-gov:s3:::aws-controltower-logs-123456789012-us-gov-east-1/*"
}

However, I encountered an AccessDenied error. To resolve it, I added the following to the role’s policy, which allowed access to work:

{
	"Action": [
		"kms:GenerateDataKey",
		"kms:Decrypt"
	],
	"Effect": "Allow",
	"Resource": "*"
}

Two questions here:

  1. My understanding was that with SSE-S3, Amazon S3 manages the keys internally, meaning there are no KMS keys involved and no additional permissions beyond standard S3 actions. Is that correct?
  2. I would prefer not to use "Resource": "*", especially for KMS permissions. If KMS access is indeed required, which key ARN should I specify instead?

Thanks.

Topics
Management & GovernanceSecurity, Identity, & ComplianceStorage
Tags
AWS Key Management ServiceAWS Control TowerAmazon Simple Storage Service
Language
English
asked 3 months ago54 views
1 Answer
0

Hello.

If you are using SSE-S3, you should be able to download without setting up access to KMS.
Does the bucket policy of the S3 bucket allow access from the AWS account that owns Lambda?
You need to configure your S3 bucket policy to allow the IAM role for Lambda.
The documentation below relates to uploads, but I think you should do the same for downloads.
https://repost.aws/knowledge-center/access-denied-lambda-s3-bucket

Try configuring the bucket policy as shown below to allow "s3:GetObject" from the Lambda IAM role.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws-us-gov:iam::AccountA:role/LambdaRole"
            },
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws-us-gov:s3:::aws-controltower-logs-123456789012-us-gov-east-1/*"
            ]
        }
    ]
}

By the way, cross-account access only works within the same partition.
Therefore, if S3 is hosted on GovCloud, Lambda must also be hosted on GovCloud.
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html

IAM roles and resource-based policies delegate access across accounts only within a single partition. For example, you have an account in US West (N. California) in the standard aws partition. You also have an account in China in the aws-cn partition. You can't use a resource-based policy in your account in China to allow access for users in your standard AWS account.

EXPERT
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content