How can I resolve the "Given key ID not accessible" error when performing a cross-account copy in AWS Backup?

Lesedauer: 4 Minute
0

When I perform a cross-account copy in AWS Backup, I receive the error “Given key ID not accessible.”

Short description

When using AWS Backup to perform a cross-account copy from one AWS account to another, you receive an error similar to the following messages:

"Given key ID is not accessible"

-or-

"The source snapshot KMS key does not exist, is not enabled or you do not have permissions to access it"

To successfully create a cross-account copy, you must allow the destination account on the source account AWS Key Management Service (AWS KMS) key policy. The following AWS KMS permissions are necessary to perform various cryptographic operations:

  • DescribeKey
  • Encrypt
  • Decrypt
  • ReEncryptFrom
  • ReEncryptTo
  • GenerateDataKeyPair
  • GenerateDataKeyPairWithoutPlaintext
  • GenerateDataKeyWithoutPlaintext
  • CreateGrant
  • ListGrant
  • RevokeGrant

Resolution

You must include the destination account root user in the source account AWS KMS key policy. Then, the destination account root user delegates the necessary AWS Identity and Access Management (IAM) permissions to the users and roles.

For resources that support full AWS Backup management, the source AWS KMS key is the encryption key of the vault. The source AWS KMS key can either be a customer managed key or AWS managed key. If the source AWS KMS key is a customer managed key, then you must modify the key policy to include the destination account.

For resources that don't support full AWS Backup management, the source AWS KMS key is the encryption key of the original resource. The source AWS KMS key must be a customer managed key, and you must modify the key policy to include the destination account.

Note: The source AWS KMS key can't be an AWS managed key. This is because an AWS managed key doesn't allow you to modify the key policy. Also, you can't share the AWS managed key with the destination account.

Source AWS KMS key policy

To create a copy from one account to another, modify your source AWS KMS key to include the following permissions:

Note: Replace SourceAccountID and DestinationAccountID with your source and destination account IDs.

{  
    "Version": "2012-10-17",  
    "Id": "cab-kms-key",  
    "Statement": [{  
            "Sid": "Enable IAM User Permissions",  
            "Effect": "Allow",  
            "Principal": {  
                "AWS": "arn:aws:iam::SourceAccountID:root"  
            },  
            "Action": "kms:*",  
            "Resource": "*"  
        },  
        {  
            "Sid": "Allow use of the key",  
            "Effect": "Allow",  
            "Principal": {  
                "AWS": [  
                    "arn:aws:iam::SourceAccountID:root",  
                    "arn:aws:iam::DestinationAccountID:root"  
                ]  
            },  
            "Action": [  
                "kms:DescribeKey",  
                "kms:Encrypt",  
                "kms:Decrypt",  
                "kms:ReEncrypt*",  
                "kms:GenerateDataKey*"  
            ],  
            "Resource": "*"  
        },  
        {  
            "Sid": "Allow attachment of persistent resources",  
            "Effect": "Allow",  
            "Principal": {  
                "AWS": [  
                    "arn:aws:iam::SourceAccountID:root",  
                    "arn:aws:iam::DestinationAccountID:root"  
                ]  
            },  
            "Action": [  
                "kms:CreateGrant",  
                "kms:ListGrants",  
                "kms:RevokeGrant"  
            ],  
            "Resource": "*",  
            "Condition": {  
                "Bool": {  
                    "kms:GrantIsForAWSResource": "true"  
                }  
            }  
        }  
    ]  
}

Tip: In the preceding policy, instead of using arn:aws:iam::DestinationAccountID:root, you can restrict access to a single role from the destination account with ARN arn:aws:iam::DestinationAccountID:role/aws-service-role/backup.amazonaws.com/AWSServiceRoleForBackup. AWSServiceRoleforBackup is a service role that's automatically created in the destination account and is used to pull backups from the source account into the destination account.

Additional considerations for encryption in AWS Backup for cross-account copies

To see which resource types are eligible for full AWS Backup management, see Feature availability by resource.

If the resource supports full AWS Backup management, then you can encrypt these resources with a customer managed AWS KMS key or AWS managed key. In this scenario, the following encryption occurs:

  • The source backup is encrypted with a source vault AWS KMS key.
  • The destination copy is encrypted with a destination vault AWS KMS key.

To create cross-account copies from resources that don't support full AWS Backup management, encrypt the resources with a customer managed AWS KMS key. In this scenario, the following encryption occurs:

  • The source backup is encrypted with original resource encryption key.
  • The destination copy is encrypted with a destination vault AWS KMS key.

Related information

What is AWS Backup?

Ensuring security of your code in a cross-region/cross-account deployment solution

Encryption for backups in AWS Backup

AWS OFFICIAL
AWS OFFICIALAktualisiert vor 9 Monaten