By using AWS re:Post, you agree to the Terms of Use

Cross Account Copy S3 Objects From Account B to AWS KMS-encrypted bucket in Account A

0

My Amazon Simple Storage Service (Amazon S3) bucket in Accounts A is encrypted with a AWS Managed AWS Key Management Service (AWS KMS) key.

I have created lambda function to copy objects from Account B to Account A which has AWS Managed KMS key used as Server Side Encryption on S3 bucket.

When function executes and tries to copy objects from AWS account (Account B) to Account A S3 bucket, I get an Access Denied error.

I came across an Knowledge-center article which talks about the same scenario **except one difference ** and In that they are talking about **Customer Managed Key ** server side encryption mechanism.

Because they have using Customer Managed Encryption Key they are able to modify KMS policy to allow Lambda function Role ARN permission to the kms:Decrypt action.

As mentioned earlier, S3 bucket encrypted with AWS managed keys, we cant modify the key policy because it is managed by AWS.

So, my question is how do we copy objects from S3 buckets from Account B to Account A ( with AWS Managed KMS encryption enabled)?

Reference Links:

Changing a key policy documentation

https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying.html#key-policy-modifying-how-to-console-policy-view

Thanks in advance.

2 Answers
0

Hi, as it says in the Reference Link you provided, "Because AWS managed KMS key policies can't be updated, cross-account permissions also can't be granted for those key policies. Additionally, objects that are encrypted using an AWS managed KMS key can't be accessed by other AWS accounts".

If you want cross-account access you have to use a customer-manager KMS master key.

answered 8 months ago
0

@skinsman - Thanks for your input. I understood it. If that's the scenario then there is one part that I would like to understand.

As I mentioned that, Account A has AWS Managed Key (KMS) encryption set on S3 bucket So when I performed **the similar lambda function execution on Account A to copy objects to Account B (Server side encryption - SSE-S3) s3 bucket **then it successfully copied.

Only when I was copying objects from Account B to Account A then I was getting an error message "Access Denied".

Can you please help me understand that?

answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions