Why do cross-account users receive Access Denied errors when they try to access my S3 objects that I encrypted with an AWS KMS customer managed key?

4 minute read
2

My Amazon Simple Storage Service (Amazon S3) bucket is encrypted with an AWS Key Management Service (AWS KMS) customer managed key. When users from another AWS account try to access the objects in my bucket, they get an Access Denied error.

Short description

To grant access to an AWS KMS encrypted bucket in Account A to a user in Account B, apply the following permissions:

  • The Amazon S3 bucket policy in Account A must grant access to Account B.
  • The AWS managed key in Account A must be located in the same AWS Region as the S3 bucket in Account A.
  • The AWS KMS key policy in Account A must grant access to the user in Account B.
  • The AWS Identity and Access Management (IAM) policy in Account B must grant the user access to both the bucket and key in Account A.

To troubleshoot the Access Denied error, verify that these permissions are set up correctly.

Important: For customer managed key policies, you can change the key policy only from the account that created the policy.

You must use a fully qualified KMS key ARN for the bucket encryption setting. If you use a KMS key alias, then AWS KMS resolves the key only within the account that owns the bucket (Account A).

The following is an example of a fully qualified AWS KMS key ARN that you use for bucket encryption:

"arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"

The following is an example of an AWS KMS key alias that you don't use for bucket encryption:

arn:aws:kms:us-west-2:111122223333:alias/alias-name

Resolution

The bucket policy in Account A must grant access to the user in Account B

From Account A, review the bucket policy to confirm that there's a statement that allows access from the account ID of Account B.

For example, the following bucket policy allows s3:GetObject access to the account ID 111122223333:

{
  "Id": "ExamplePolicy1",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ExampleStmt1",
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",
      "Principal": {
        "AWS": [
          "111122223333"
        ]
      }
    }
  ]
}

The AWS KMS key policy in Account A must grant access to the user in Account B

The AWS KMS key policy must grant the user in Account B permissions to the kms:Decrypt action. For example, to grant key access to only one IAM user or role, use a key policy similar to the following one:

{
    "Sid": "Allow use of the key",
    "Effect": "Allow",
    "Principal": {
        "AWS": [
            "arn:aws:iam::111122223333:role/role_name"
        ]
    },
    "Action": [
        "kms:Decrypt"
    ],
    "Resource": "*"
}

From Account A, use the AWS Management Console policy view to review the key policy. In the key policy, find "Sid": "Allow use of the key". Then, confirm that the user in Account B is listed as a principal in that statement.

If you don't see the statement "Sid": "Allow use of the key", then use the AWS Management Console default view to review the key policy. Then, add Account B's account ID as an external account that has access to the key.

The IAM user policy in Account B must grant the user access to both the bucket and key in Account A

From Account B, complete the following steps:

  1. Open the IAM console.
  2. Open the IAM user or role that's associated with the user in Account B.
  3. Review the list of permissions policies that are applied to the IAM user or role.
  4. Verify that there are applied policies that grant access to both the bucket and key.
    Note: If the IAM user or role in Account B already has administrator access, then you don't need to grant access to the key. The following example policy grants the IAM user in Account B access to objects and the KMS key to decrypt objects in a bucket:
    {
        "Version": "2012-10-17",
        "Statement": [{
                "Sid": "ExampleStmt1",
                "Action": [
                    "s3:GetObject"
                ],
                "Effect": "Allow",
                "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
            },
            {
                "Sid": "ExampleStmt2",
                "Action": [
                    "kms:Decrypt"
                ],
                "Effect": "Allow",
                "Resource": "arn:aws:kms:us-west-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab"
            }
        ]
    }

For more information about how to add or correct the IAM user's permissions, see Changing permissions for an IAM user.

Related information

AWS Policy Generator

AWS OFFICIAL
AWS OFFICIALUpdated 10 days ago
3 Comments

this doc helps for fixing my encryption issue.

replied a year ago

Consider checking the ACL setup of the bucket as well as ACL rules may interfere with Bucket policies. If possible, disabling ACLs provides the most predictable results and will simplify support in the long term.

ddewolf
replied 5 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 5 months ago