How do I resolve the "Access Denied" error in Kinesis Data Firehose when writing to an Amazon S3 bucket?

Last updated: 2020-10-15

I'm trying to write data from Amazon Kinesis Data Firehose to an Amazon Simple Storage Service (Amazon S3) bucket that's encrypted by AWS Key Management Service (AWS KMS). However, I receive an "Access Denied" error message. How do I resolve this?

Resolution

Important: Make sure that the AWS Identity and Access Management (IAM) role for Kinesis Data Firehose has relevant Amazon S3 permissions. For more information about S3 permissions, see Grant Kinesis Data Firehose access to an Amazon S3 destination.

To resolve the "Access Denied" error message in Kinesis Data Firehose, perform the following steps:

1.    Open the AWS KMS console.

2.    Choose the KMS key that is currently used to encrypt your S3 bucket.

3.    Choose Switch to policy view.

4.    Check that you have the required permissions in the KMS key policy. Proper access allows you to encrypt data that is written to your S3 bucket.

Note: For more information about KMS key policies, see Protecting data using server-side encryption with CMKs stored in AWS Key Management Service (SSE-KMS).

5.    Update your policy, granting Kinesis Data Firehose access to the KMS key:

{
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<account-ID>:role/<FirehoseRole>"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "<ARN of the KMS key>"
}

Be sure to specify the Amazon Resource Name (ARN) of the KMS key that encrypted your S3 bucket.

6.    Choose Save.

You can also resolve the "Access Denied" error message without modifying the policy. To resolve the error message, perform the following steps:

1.    Open the AWS KMS console.

2.    Choose the KMS key that is currently being used to encrypt your S3 bucket.

3.    In the Key users section, choose Add.

4.    Select your Kinesis Data Firehose role.

5.    Choose Add. You now have the proper permissions to write data from Kinesis Data Firehose to the encrypted S3 bucket.


Did this article help?


Do you need billing or technical support?