Access denied error in Athena

0

Hi, I am trying to set up the cross account access for Glue catalog. I want to have access to the data located in producer account inside consumer account's Athena. after setting up the access and run the crawlers I can see database and tables in consumer account's Athena. but when I run the query, this error occurs:

User: arn:aws:.... is not authorized to perform: kms:Decrypt on the resource associated with this ciphertext because the resource does not exist in this Region, no resource-based policies allow access, or a resource-based policy explicitly denies access (Service: AWSKMS; Status Code: 400; Error Code: AccessDeniedException; Request ID: ...; Proxy: null) (Service: AWSGlue; Status Code: 400; Error Code: GlueEncryptionException; Request ID: ....; Proxy: null)

Since I attached all the required policy to the key, bucket and catalog. my guess is : the error occurs because my existing data is encrypted by previous KMS key ( AWS-managed key). however, I specified a Customer-managed key in Data Catalog setting, running the crawler did not cause re-encryption. So, we need re-encrypt the data with new key . am I right? Anyone has any opinion?

2 Answers
3

If it's affordable for you, you can try copy data to a new location with re-encryption. Use an S3 batch operation or an AWS Glue job to copy the data to a new location and re-encrypt it using the new customer-managed KMS key.

Example S3 Batch Operation:

  • Create a manifest file listing all the objects to be re-encrypted.
  • Use S3 Batch Operations to copy each object to the same location with the new encryption key.
  • Update Data Catalog Settings. Ensure that the Glue Data Catalog is updated to reflect the new encryption settings.
profile picture
EXPERT
answered 4 months ago
EXPERT
Leo K
reviewed 4 months ago
-1

And to confirm, yes, you are correct in what you said, @gh-v. If your data in S3 is encrypted with the AWS-managed KMS key for S3, there's no way for another AWS account to access the encrypted objects via S3's APIs, unless you re-encrypt them first.

EXPERT
Leo K
answered 4 months ago
profile picture
EXPERT
reviewed 3 months ago
profile picture
EXPERT
reviewed 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions