I am working in two separate AWS accounts and have created a Service Catalog Product Portfolio in account A that I imported into account B. I have a permissions error when I launch the imported products in account B. Specifically, I am getting "access denied by S3". I have attempted to remedy this by modifying the bucket policy of the bucket in account A to allow GetObject permissions to account B. However, the error is still stating that my user is not authorized to perform "kms:decrypt". The S3 bucket in account A uses the default SSE-KMS, so there is no KMS policy for me to modify as it stands. Do I need to create a KMS key specific for this bucket and modify the KMS policy to allow these permissions, or is there a better way to solve this cross-account permissions problem? I've provided the error messages and my bucket policy below for further clarification. Thank you!
Error message:
Resource Type: AWS::Lambda::Function
StatusReason: Resource handler returned message: "Your access has been denied by S3, please make sure your request credentials have permission to GetObject for <account-A-bucket>. S3 Error Code: AccessDenied. S3 Error Message: User: arn:aws:iam::<account-B>:user/me is not authorized to perform: kms:Decrypt on the resource associated with this ciphertext because the resource does not exist in this Region, no resource-based policies allow access, or a resource-based policy explicitly denies access (Service: Lambda, Status Code: 403, Request ID: <redacted>)" (RequestToken: <redacted>, HandlerErrorCode: AccessDenied)
Bucket A bucket policy:
{
"Version": "2012-10-17",
"Id": "AccessControl",
"Statement": [
{
"Sid": "AllowSSLRequestsOnly",
"Effect": "Deny",
"Principal": "",
"Action": "s3:",
"Resource": [
"arn:aws:s3:::<account-A-bucket>",
"arn:aws:s3:::<account-A-bucket>/"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},
{
"Sid": "ExternalServiceCatalogAccess",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<account-A>:root",
"arn:aws:iam::<account-B>:root"
]
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::<account-A-bucket>",
"arn:aws:s3:::<account-A-bucket>/"
]
}
]
}