By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

DMS Serverless Replication - getting no permission to access source rds custom kms key

0

Have source as Postgres RDS and target as S3 bucket.

Source Postgres RDS is encrypted with a custom KMS key. While using standard provisioned DMS task, this is working fine, with the custom key being accessed fine and source and target endpoints working fine. Data movement / CDC also verified.

However, we've decided to use DMS serverless replication. While trying to use same endpoints previoulsy working in standard DMS task, but the serverless replication process is failing during testing connection , getting below error:

Test connection failed for endpoint 'source_endpoint' and replication config 'dms-serverless-rep'. Failure Message: 'No permission to access Key 'arn:aws:kms:ap-southeast-2:XXXXXXXXXXXX:key/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx''

setup done for above so far but nothing worked :

  • DMS serverless service linked role - AWSServiceRoleForDMSServerless - this role has been granted all access in the custom key policy , snippet attached.

Service Role can't be modified, so tried giving full access to the service principle and service linked role from custom key policy, ended up in the same issue.

Also the user account has been granted full access to the key.

kms key policy snippet:

{ "Sid": "Enable full access to DMS service principal", "Effect": "Allow", "Principal": { "Service": "dms.amazonaws.com" }, "Action": "kms:", "Resource": "" }, { "Sid": "Allow attachment of persistent resources", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::XXXXXXXXXXXX:role/aws-service-role/dms.amazonaws.com/AWSServiceRoleForDMSServerless" }, "Action": "kms:", "Resource": "" },

	{
        "Sid": "Allow admin access ",
        "Effect": "Allow",
		"Principal": {
            "AWS": [
                "arn:aws:iam::XXXXXXXXXXXX:root"
            ]
        },
        "Action": "kms:*",
        "Resource": "*"
    }
Topics
Migration & ModernizationSecurity, Identity, & Compliance
Tags
AWS Database Migration ServiceIAM Policies
Language
English
bipinns
asked 11 days ago155 views
2 Answers
1

you seem to be hitting the limitation as mentioned at https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Serverless.Limitations.html

AWS DMS serverless doesn't support using AWS customer managed keys. AWS DMS serverless only supports using the default DMS key.

AWS
subhashr
answered 11 days ago
  • bipinns
    11 days ago

    Thanks for responding. I had seen that limitation, I thought thats related to DMS Serverless Replication not able to encrypt data being replicated in - transit using custom kms key. Was hoping since custom kms key is only being access to decrypt the data from source RDS, its still feasible using the serverless replication.

    Is above understanding correct or does the limitation is for any interaction with custom kms key whether its to decrypt from source RDS or to encrypt data in transit

0
Accepted Answer

there seems to be some confusion here. please note when we create a dms endpoint with kms key that kms key is used to encrypt the connection parameters for the endpoint and not used to connect to the source or target. connection level encryption is provided with ssl or tls and doesnt need to kms to decrypt the source or target storage.

i also understand that it works with provisioned dms and fails with custom kms key (not using aws/dms) for serverless dms. Let me know if it helps. You can always use aws/dms to encrypt the connection parameters for the endpoint.

AWS
subhashr
answered 11 days ago
  • bipinns
    4 days ago

    thanks, there was a gap in my understanding, this is resovled now using just default kms key

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content