Reputation: 2264
s3 cross account access with default kms key
I have an s3 bucket in my account which has SSE enabled using default aws-kms key. I wish to provide read access to another account to my bucket.
I have followed the following link to provide access: https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-denied-error-s3/
I am using aws s3 ls <s3://bucket_name> and aws s3 cp <path to s3 object> . to download the object
I tried providing cross-account access to a bucket without SSE enabled. I was successfully able to retrieve bucket details and download object. However, when I try to download object from a bucket with SSE enabled I get An error occurred (AccessDenied) when calling the GetObject operation: Access Denied exception. I am able to list objects from the SSE-enabled bucket, just not download them.
My bucket policy:
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<Account_B_AWS_Account_Id>:role/ReadOnly"
]
},
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::<bucket-name>",
"arn:aws:s3:::<bucket-name>/*"
]
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<Account_B_AWS_Account_Id>:role/ReadOnly"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}
The ReadOnly role in the account has read permissions to all aws services. In addition I attached the following policy to the role as well
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SomeProperites",
"Effect": "Allow",
"Action": [
"s3:GetLifecycleConfiguration",
"s3:ListBucketByTags",
"s3:GetBucketTagging",
"s3:GetInventoryConfiguration",
"s3:GetObjectVersionTagging",
"s3:GetBucketLogging",
"s3:ListBucketVersions",
"s3:GetAccelerateConfiguration",
"s3:ListBucket",
"s3:GetBucketPolicy",
"s3:GetEncryptionConfiguration",
"s3:GetObjectAcl",
"s3:GetObjectVersionTorrent",
"s3:GetBucketRequestPayment",
"s3:GetObjectVersionAcl",
"s3:GetObjectTagging",
"s3:GetMetricsConfiguration",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:ListBucketMultipartUploads",
"s3:GetBucketWebsite",
"s3:GetBucketVersioning",
"s3:GetBucketAcl",
"s3:GetBucketNotification",
"s3:GetReplicationConfiguration",
"s3:ListMultipartUploadParts",
"s3:GetObject",
"s3:GetObjectTorrent",
"s3:DescribeJob",
"s3:GetBucketCORS",
"s3:GetAnalyticsConfiguration",
"s3:GetObjectVersionForReplication",
"s3:GetBucketLocation",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::<bucket-name>"
},
{
"Sid": "SomePermission",
"Effect": "Allow",
"Action": [
"s3:GetAccountPublicAccessBlock",
"s3:ListAllMyBuckets",
"s3:ListJobs",
"s3:HeadBucket"
],
"Resource": "*"
},
{
"Sid": "KMSWriteKey",
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}
I believe I am not able to getObject due to KMS decryption since I able to download with a SSE-disabled bucket. Is my policy above correct? Do I need to provide some additional permissions if using default kms keys? Is it possible to use default kms keys and provide cross-account access?
Upvotes: 9
Views: 12190
Answers (3)
Reputation: 2756
The documentation states the following:
Objects encrypted using SSE-KMS with AWS managed keys can't be shared cross-account. If you need to share SSE-KMS data cross-account, you must use a customer managed key from AWS KMS.
So you need to use a CMK for cross-account sharing. It is possible to re-encrypt objects in the bucket to the new key. That seems outside the scope of the question, but is documented in a blog post.
Upvotes: 0
Reputation: 101
-> SSE enabled using default aws-kms key
This is the AWS Managed KMS key, you can only view the key policy of it. You cannot edit the key policy of it. So you will not be able to do cross account s3 object sharing with SSE-KMS AWS managed key.
Please switch to use SSE-KMS Customer Managed Key and grant the cross-account prinicipal with the descrypt action in the selected KMS CMK.
Upvotes: 10
Reputation: 2560
To grant access to an AWS KMS-encrypted bucket in Account A to a user in Account B, you must have these permissions in place:
- The bucket policy in Account A must grant access to Account B.
- The AWS KMS key policy in Account A must grant access to the user in Account B.
- The AWS Identity and Access Management (IAM) user policy in Account B must grant the user access to both the bucket and the key in Account A.
See more information here:
https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-denied-error-s3/
Upvotes: -1
Related Questions
- How do I get AWS cross-account KMS keys to work?
- How to add KMS key policy to an IAM role
- cross account access for decrypt object with default aws/S3 KMS key
- Give S3 Full access cross account
- Sharing an AWS managed KMS key with another account
- Cross Account S3 Access for a public buket
- Cross account file access in AWS S3
- Can AWS S3 default encryption use a KMS key owned by another account?
- S3 Cross Account Access With Role
- S3 cross account access involving 3 accounts