My Amazon Simple Storage Service (Amazon S3) bucket is encrypted with a custom AWS Key Management Service (AWS KMS) key. When users from another AWS account try to access my bucket, they get an Access Denied error. How can I fix this?

To grant access to an AWS KMS-encrypted bucket in Account A to a user in Account B, you must have these permissions in place:

  • The bucket policy in Account A must grant access to Account B.
  • The AWS KMS key policy in Account A must grant access to the user in Account B.
  • The AWS Identity and Access Management (IAM) user policy in Account B must grant the user access to both the bucket and the key in Account A.

To troubleshoot the Access Denied error, verify that these permissions are set up correctly.  

The bucket policy in Account A must grant access to the user in Account B

From Account A, review the bucket policy and confirm that there is a statement that allows access from the account ID of Account B.

For example, this bucket policy allows s3:GetObject access to the account ID 111122223333:

{
  "Id": "ExamplePolicy1",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ExampleStmt1",
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::awsexamplebucket/*",
      "Principal": {
        "AWS": [
          "111122223333"
        ]
      }
    }
  ]
}

The AWS KMS key policy in Account A must grant access to the user in Account B

The AWS KMS key policy must grant the user in Account B permissions to these actions: kms:Encrypt, kms:Decrypt, kms:ReEncrypt*, kms:GenerateDataKey*, and kms:DescribeKey. For example, if you want to grant key access to only one IAM user or role, the key policy statement would be similar to the following:  

{
   "Sid": "Allow use of the key",
   "Effect": "Allow",
   "Principal": {
     "AWS": [
       "arn:aws:iam::111122223333:role/role_name",
     ]
   },
   "Action": [
     "kms:Encrypt",
     "kms:Decrypt",
     "kms:ReEncrypt*",
     "kms:GenerateDataKey*",
     "kms:DescribeKey"
   ],
   "Resource": "*"
 }

From Account A, review the key policy using the AWS Management Console policy view. In the key policy, look for "Sid": "Allow use of the key". Then, confirm that the user in Account B is listed as a principal in that statement.

If you don't see the statement "Sid": "Allow use of the key", switch to view the key policy using the console default view. Then, add Account B's account ID as an external account with access to the key.

The IAM user policy in Account B must grant the user access to both the bucket and the key in Account A

From Account B, open the IAM console, and then open the IAM user or role associated with the user in Account B.

Review the list of permissions policies applied to IAM user or role. Then, verify that there are applied policies that grant access to both the bucket and the key.

Note: If the IAM user or role in Account B already has administrator access, then you don't need to grant access to the key from the user's IAM policies.

As an example statement for bucket access, this statement grants the IAM user access to s3:GetObject and s3:PutObject on awsexamplebucket:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ExampleStmt2",
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::awsexamplebucket/*"
    }
  ]
}

As an example statement for key access, this statement grants the IAM user access to use the key (arn:aws:kms:example-region-1:123456789098:key/111aa2bb-333c-4d44-5555-a111bb2c33dd):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ExampleStmt3",
      "Action": [
        "kms:Decrypt",
        "kms:DescribeKey",
        "kms:Encrypt",
        "kms:GenerateDataKey",
        "kms:ReEncrypt*"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:kms:example-region-1:123456789098:key/111aa2bb-333c-4d44-5555-a111bb2c33dd"
    }
  ]
}

For instructions on how to add or correct the IAM user's permissions, see Changing Permissions for an IAM User.


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2019-03-25