By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

cross-account permissions for S3 bucket access

0

I am working in two separate AWS accounts and have created a Service Catalog Product Portfolio in account A that I imported into account B. I have a permissions error when I launch the imported products in account B. Specifically, I am getting "access denied by S3". I have attempted to remedy this by modifying the bucket policy of the bucket in account A to allow GetObject permissions to account B. However, the error is still stating that my user is not authorized to perform "kms:decrypt". The S3 bucket in account A uses the default SSE-KMS, so there is no KMS policy for me to modify as it stands. Do I need to create a KMS key specific for this bucket and modify the KMS policy to allow these permissions, or is there a better way to solve this cross-account permissions problem? I've provided the error messages and my bucket policy below for further clarification. Thank you!

Error message: Resource Type: AWS::Lambda::Function StatusReason: Resource handler returned message: "Your access has been denied by S3, please make sure your request credentials have permission to GetObject for <account-A-bucket>. S3 Error Code: AccessDenied. S3 Error Message: User: arn:aws:iam::<account-B>:user/me is not authorized to perform: kms:Decrypt on the resource associated with this ciphertext because the resource does not exist in this Region, no resource-based policies allow access, or a resource-based policy explicitly denies access (Service: Lambda, Status Code: 403, Request ID: <redacted>)" (RequestToken: <redacted>, HandlerErrorCode: AccessDenied)

Bucket A bucket policy: { "Version": "2012-10-17", "Id": "AccessControl", "Statement": [ { "Sid": "AllowSSLRequestsOnly", "Effect": "Deny", "Principal": "", "Action": "s3:", "Resource": [ "arn:aws:s3:::<account-A-bucket>", "arn:aws:s3:::<account-A-bucket>/" ], "Condition": { "Bool": { "aws:SecureTransport": "false" } } }, { "Sid": "ExternalServiceCatalogAccess", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::<account-A>:root", "arn:aws:iam::<account-B>:root" ] }, "Action": [ "s3:GetObject", "s3:PutObject", "s3:PutObjectAcl" ], "Resource": [ "arn:aws:s3:::<account-A-bucket>", "arn:aws:s3:::<account-A-bucket>/" ] } ] }

Topics
ServerlessComputeSecurity, Identity, & ComplianceManagement & Governance
Tags
AWS LambdaAWS Identity and Access ManagementAWS Service CatalogIAM Policies
Language
English
Josh Yiznitsky
asked 4 months ago245 views
1 Answer
1

Hi,

This guidance is made for Glue but it also applies to our case regarding missing KMS key: https://repost.aws/knowledge-center/glue-400-errors-kms

Please, read it and tranpose to your S3 context from the Glue context

Best.

Didier

profile pictureAWS
EXPERT
Didier_Durand
answered 4 months ago
profile picture
EXPERT
MaxCloud
reviewed 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content