Why am I getting the error “The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access” when I download or copy an object from my Amazon S3 bucket?

Resolution

You get this error when both the following conditions are true:

• The object that's stored in the bucket where you are making requests to is encrypted with an AWS Key Management Service (AWS KMS) key.
• The AWS Identity and Access Management (IAM) role or user that's making the requests doesn't have sufficient permissions to access the AWS KMS key that's used to encrypt the objects.

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you're using the most recent version of the AWS CLI.

You can check the encryption on an object using the AWS CLI command head-object:

aws s3api head-object --bucket my-bucket --key my-object

Be sure to do the following in the preceding command:

• Replace my-bucket with the name of your bucket.
• Replace my-object with the name of your object.

The output for this command looks like the following:

{
  "AcceptRanges": "bytes",
  "ContentType": "text/html",
  "LastModified": "Thu, 16 Apr 2015 18:19:14 GMT",
  "ContentLength": 77,
  "VersionId": "null",
  "ETag": "\"30a6ec7e1a9ad79c203d05a589c8b400\"",
  "ServerSideEncryption": "aws:kms",
  "Metadata": {},
  "SSEKMSKeyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
  "BucketKeyEnabled": true
}

The SSEKMSKeyId field in the output specifies the AWS KMS key that was used to encrypt the object.

To resolve this error, do either of the following:

• Be sure that the policy that's attached to the IAM user or role has the required permissions. Example:

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": [
      "kms:DescribeKey",
      "kms:GenerateDataKey",
      "kms:Decrypt"
    ],
    "Resource": [
      "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
    ]
  }
}

• Be sure that the AWS KMS policy has the required permissions. Example:

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Principal": {
      "AWS": "arn:aws:iam::AWS-account-ID:user/user-name-1"
    },
    "Action": [
      "kms:DescribeKey",
      "kms:GenerateDataKey",
      "kms:Decrypt"
    ],
    "Resource": "*"
  }
}

If the IAM user or role and AWS KMS key are from different AWS accounts, then be sure of the following:

• The policy that's attached to the IAM entity has the required AWS KMS permissions.
• The AWS KMS key policy grants the required permissions to the IAM entity.

Important: You can't use the AWS managed keys in cross-account use cases because the AWS managed key policies can't be modified.

To get detailed information about an AWS KMS key, run the describe-key command:

aws kms describe-key --key-id arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

You can also use the AWS KMS console to view details about an AWS KMS key.

Note: Be sure that the AWS KMS key that's used to encrypt the object is enabled.

Related information

My Amazon S3 bucket has default encryption using a custom AWS KMS key. How can I allow users to download from and upload to the bucket?

Do I need to specify the AWS KMS key when I download a KMS-encrypted object from Amazon S3?