By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Some AWS Backup S3 Restores Fail with "Access denied to KMS Key"

0

Hello,

We are having an issue with AWS backup where some bucket restores are failing with the message "Access denied to KMS Key" . We have tried both restoring with default settings and with SSE-S3 encryption. Looking at cloudtrail, we don't see any failures of decryption. The default backup role has the AWSBackupServiceRolePolicyForS3Backup and AWSBackupServiceRolePolicyForS3Restore. What is odd is that one bucket worked. Also, in our restore testing from a month ago, they all worked. We are unable to figure out what key it is trying to access and why it is being denied.

Thank you!

Topics
Security, Identity, & ComplianceStorage
Tags
AWS Key Management ServiceAWS Backup
Language
English
stjustin
asked 2 months ago116 views
1 Answer
0

Hello,

I have determined the issue. The issue is that some of the objects in the bucket had public access granted via ACLs. In the testing we did and the AWS Backup restore testing, the buckets were set with "Bucket and objects not public" ... When it hit an object that needed to set a public ACL, it failed. This error message is obviously not correct. However, setting up a bucket that does not have public access blocked and then performing a restore results in the restore working. Clearly, that is the issue, the messaging is just wrong.

Thanks!

stjustin
answered 2 months ago
profile picture
EXPERT
Giovanni Lauria
reviewed a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content