- Neueste
- Die meisten Stimmen
- Die meisten Kommentare
This error occurs because the destination S3 bucket is encrypted with customer managed KMS keys and the IAM role and KMS policy do not have sufficient permissions to perform the Put object action. Though some customers added limited KMS keys it still fails as "kms:GenerateDataKey" is not present on both IAM role policy and KMS policy.
Resolution
Check the following:
-
Check whether the S3 bucket is encryption enabled and the type of KMS.
-
Make sure the IAM role policy and KMS key policy with this role has the following minimum permissions: "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:DescribeKey", "kms:GetPublicKey", "kms:ReEncrypt*", "kms:GenerateDataKey",
-
Make sure the IAM role Trust policy is as per the Example 1: in this documentation: https://docs.aws.amazon.com/datasync/latest/userguide/using-identity-based-policies.html
Relevanter Inhalt
- AWS OFFICIALAktualisiert vor 2 Jahren
- AWS OFFICIALAktualisiert vor 2 Jahren
- AWS OFFICIALAktualisiert vor 3 Jahren
- AWS OFFICIALAktualisiert vor 8 Monaten