How do I resolve Access Denied errors when I use an IP-restricted IAM role to access SSE-KMS encrypted S3 objects?
I want to use an AWS Identity and Access Management (IAM) role to download an SSE-KMS encrypted Amazon Simple Storage Service (Amazon S3) object. But, I receive an “Access Denied” error.
Resolution
Server-side encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS) uses forward access sessions (FAS) to make AWS KMS API requests that IP address restrictions can unintentionally deny. When you use an IP-restricted IAM role and try to download an Amazon S3 object that's encrypted with SSE-KMS, you might receive an "Access Denied" error.
To modify the policy that's attached to your IAM user to include the aws:ViaAWSService condition, complete the following steps:
-
Open your current policy for your IAM user that restricts IP addresses. Example restricted policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "*", "Resource": "*", "Condition": { "NotIpAddress": { "aws:SourceIp": [ "IP ADDRESS" ] } } } ] } -
Modify the policy to include the aws:ViaAWSService condition. Example IAM user policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "*", "Resource": "*", "Condition": { "NotIpAddress": { "aws:SourceIp": [ "IP ADDRESS" ] }, "Bool": { "aws:ViaAWSService": "false" } } } ] }Note: The aws:ViaAWSService condition now allows AWS services to make API calls on your behalf with IP address restrictions.
Related information
- Language
- English
Relevant content
- asked 3 years ago
- asked 3 months ago
