By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AccessDenied error on signed url with CloudFront

0

I followed the directions and was able to create a signed url for cloudfront access to an s3 bucket, but now I am getting an access error on the kms decryption (the bucket is encrypted at rest):

<Error> <Code>AccessDenied</Code> <Message>User: arn:aws:sts::<account>:assumed-role/OriginAccess_POP_us-east-1/EdgeCredentialsProxy+EdgeHostAuthenticationClient-IAD12-P2 is not authorized to perform: kms:Decrypt on the resource associated with this ciphertext because the resource does not exist in this Region, no resource-based policies allow access, or a resource-based policy explicitly denies access</Message>

How do I grant kms:Decrypt access for the key to this assumed role? Or did I do something wrong with the way I set up at-rest encryption?

Topics
Security, Identity, & Compliance
Tags
AWS Identity and Access ManagementIAM PoliciesEncryption
Language
English
Chip Camden
asked 8 months ago1852 views
2 Answers
2

Did you take a look at this blog post. This explains step by step process for how to "Enable SSE-KMS for CloudFront OAC".

Refer Enable SSE-KMS for CloudFront OAC section in above mentioned blog post, which explains how to update the KMS key policy for cloudfront distribution.

Check S3 bucket properties to find which KMS key is being used.

Hope this helps.

Comment here if you have additional questions, happy to help.

Abhishek

profile pictureAWS
EXPERT
secondabhi_aws
answered 8 months ago
  • Chip Camden
    8 months ago

    Thanks for your answer -- I think it's helpful but I am still not out of the woods. I tried adding the key policy statement to my key, but I still get the same error. I assume that needs to be a second statement in the policy in addition to the default policy? Also, eventually I need to do this in terraform. Any pointers for that would be appreciated.

  • secondabhi_aws EXPERT
    8 months ago

    Can you please paste that key policy(default+one you added) after masking account details, I can certainly help.

  • secondabhi_aws EXPERT
    8 months ago

    Hey, let me know if you are still facing the issue, I'd like to take a look at your key policy.

  • Chip Camden
    8 months ago

    Thanks so much for your help -- S3 was using a different key to encrypt on upload than the one I specified for the bucket! I still needed the article you pointed to, though, for the permissions on the key, so thanks much for that.

0
Accepted Answer

There are a couple things you can try to resolve the AccessDenied error for KMS decryption when accessing an S3 bucket via CloudFront signed URL:

1) Update the key policy for the KMS key used to encrypt the S3 bucket to allow the CloudFront service principal arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity to call kms:Decrypt on the key.
2) Ensure the KMS key and S3 bucket are in the same region. CloudFront is trying to decrypt the objects in the edge location region, which must match the key.
3) Double check that the signed URL was generated using the same CloudFront key pair associated with the Origin Access Identity for the distribution. Mismatched keys can cause decryption failures.
4) Verify that the CloudFront distribution has access to the S3 bucket objects via an OAI policy on the bucket sub-resources.

In most cases, explicitly allowing the CloudFront service principal access to the KMS key via the key policy should resolve the issue. Let me know if you continue to see AccessDenied errors!

jose Gutierrez
answered 8 months ago
  • Chip Camden
    8 months ago

    Good points. We are using OAC instead of OAI, per Amazon recommendations.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content