Some AWS Backup S3 Restores Fail with "Access denied to KMS Key"

Question

Hello,

We are having an issue with AWS backup where some bucket restores are failing with the message "Access denied to KMS Key" . We have tried both restoring with default settings and with SSE-S3 encryption. Looking at cloudtrail, we don't see any failures of decryption. The default backup role has the AWSBackupServiceRolePolicyForS3Backup and AWSBackupServiceRolePolicyForS3Restore. What is odd is that one bucket worked. Also, in our restore testing from a month ago, they all worked. We are unable to figure out what key it is trying to access and why it is being denied.

Thank you!

Answer

Hello,

I have determined the issue. The issue is that some of the objects in the bucket had public access granted via ACLs. In the testing we did and the AWS Backup restore testing, the buckets were set with "Bucket and objects not public" ... When it hit an object that needed to set a public ACL, it failed. This error message is obviously not correct. However, setting up a bucket that does not have public access blocked and then performing a restore results in the restore working. Clearly, that is the issue, the messaging is just wrong.

Thanks!

Some AWS Backup S3 Restores Fail with "Access denied to KMS Key"

相關內容