Home > Software design >  cross account access for decrypt object with default aws/S3 KMS key
cross account access for decrypt object with default aws/S3 KMS key

Time:10-16

In my account A, i have S3 buckets where objects are encrypted default AWS managed key aws/s3.

I want to read these objects from account B lambda . But as in account A the objects are encrypted with AWS managed key aws/s3,I cannot modify the KMS key policy here.

I tried to create a role in account A which has all KMS and S3 permission with trust the role in account B.Then from account B i am assuming this role in A. But still getting

Access denied error in GetObject

What can i do here to read objects in from Account A.Please guide.

Role in Account A

statement
{
   Action: kms:*
   Resource : "*"
   Effect: allow
}
{
  Action: S3:*
   Resource : 
      arn:aws:s3:::my-s3
      arn:aws:s3:::my-s3/*
   Effect: allow
}

CodePudding user response:

aws/s3 is an AWS managed key. As the docs explain, you can't use them for cross-account access.

Because AWS managed KMS key policies can't be updated, cross-account permissions also can't be granted for those key policies. Additionally, objects that are encrypted using an AWS managed KMS key can't be accessed by other AWS accounts.

You have to use customer managed keys (CMK) for cross-account access.

  • Related