Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

cross-account permissions for S3 bucket access

0

I am working in two separate AWS accounts and have created a Service Catalog Product Portfolio in account A that I imported into account B. I have a permissions error when I launch the imported products in account B. Specifically, I am getting "access denied by S3". I have attempted to remedy this by modifying the bucket policy of the bucket in account A to allow GetObject permissions to account B. However, the error is still stating that my user is not authorized to perform "kms:decrypt". The S3 bucket in account A uses the default SSE-KMS, so there is no KMS policy for me to modify as it stands. Do I need to create a KMS key specific for this bucket and modify the KMS policy to allow these permissions, or is there a better way to solve this cross-account permissions problem? I've provided the error messages and my bucket policy below for further clarification. Thank you!

Error message: Resource Type: AWS::Lambda::Function StatusReason: Resource handler returned message: "Your access has been denied by S3, please make sure your request credentials have permission to GetObject for <account-A-bucket>. S3 Error Code: AccessDenied. S3 Error Message: User: arn:aws:iam::<account-B>:user/me is not authorized to perform: kms:Decrypt on the resource associated with this ciphertext because the resource does not exist in this Region, no resource-based policies allow access, or a resource-based policy explicitly denies access (Service: Lambda, Status Code: 403, Request ID: <redacted>)" (RequestToken: <redacted>, HandlerErrorCode: AccessDenied)

Bucket A bucket policy: { "Version": "2012-10-17", "Id": "AccessControl", "Statement": [ { "Sid": "AllowSSLRequestsOnly", "Effect": "Deny", "Principal": "", "Action": "s3:", "Resource": [ "arn:aws:s3:::<account-A-bucket>", "arn:aws:s3:::<account-A-bucket>/" ], "Condition": { "Bool": { "aws:SecureTransport": "false" } } }, { "Sid": "ExternalServiceCatalogAccess", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::<account-A>:root", "arn:aws:iam::<account-B>:root" ] }, "Action": [ "s3:GetObject", "s3:PutObject", "s3:PutObjectAcl" ], "Resource": [ "arn:aws:s3:::<account-A-bucket>", "arn:aws:s3:::<account-A-bucket>/" ] } ] }

Themen
ServerlosKalkulationSicherheit, Identität & KonformitätManagement & Unternehmensführung
Tags
AWS LambdaAWS Identity and Access ManagementAWS Service CatalogIAM-Richtlinien
Sprache
English
Josh Yiznitsky
gefragt vor 5 Monaten265 Aufrufe
1 Antwort
1

Hi,

This guidance is made for Glue but it also applies to our case regarding missing KMS key: https://repost.aws/knowledge-center/glue-400-errors-kms

Please, read it and tranpose to your S3 context from the Glue context

Best.

Didier

profile pictureAWS
EXPERTE
Didier_Durand
beantwortet vor 5 Monaten
profile picture
EXPERTE
MaxCloud
überprüft vor 5 Monaten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt