How do I resolve the "putClassificationExportConfiguration" error in Amazon Macie?
I enabled Amazon Macie and tried to configure an Amazon Simple Storage Service (Amazon S3) repository for sensitive data discovery results. However, I received an error similar to the following: "putClassificationExportConfiguration: The operation can't be performed because you're not authorized to access the S3 bucket, the KMS key, or both."
Short description
This error message means that there are permission configuration issues with Macie.
Resolution
Check the permissions for the Amazon S3 bucket, AWS Key Management Service (AWS KMS) key, and AWS Identity and Access Management (IAM) policy.
IAM permissions
1. Open the IAM console, and then choose Users.
2. Choose the User name, and then choose the Permissions tab.
3. Verify that the user is allowed to perform the following API actions:
macie2:PutClassificationExportConfiguration s3:CreateBucket s3:GetBucketLocation s3:ListAllMyBuckets s3:PutBucketAcl s3:PutBucketPolicy s3:PutBucketPublicAccessBlock s3:PutObject kms:ListAliases
For more information, see Verify your permissions.
Amazon S3 permissions
Make sure that the Amazon S3 bucket policy has permissions similar to the following:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Deny non-HTTPS access", "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": "arn:aws:s3:::<BUCKET>/*", "Condition": { "Bool": { "aws:SecureTransport": "false" } } }, { "Sid": "Deny incorrect encryption header. This is optional", "Effect": "Deny", "Principal": { "Service": "macie.amazonaws.com" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::<BUCKET>/*", "Condition": { "StringNotEquals": { "s3:x-amz-server-side-encryption-aws-kms-key-id": "<ARN OF KMS KEY>" } } }, { "Sid": "Deny unencrypted object uploads. This is optional", "Effect": "Deny", "Principal": { "Service": "macie.amazonaws.com" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::<BUCKET>/*", "Condition": { "StringNotEquals": { "s3:x-amz-server-side-encryption": "aws:kms" } } }, { "Sid": "Allow Macie to upload objects to the bucket", "Effect": "Allow", "Principal": { "Service": "macie.amazonaws.com" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::<BUCKET>/*" }, { "Sid": "Allow Macie to use the getBucketLocation operation", "Effect": "Allow", "Principal": { "Service": "macie.amazonaws.com" }, "Action": "s3:GetBucketLocation", "Resource": "arn:aws:s3:::<BUCKET>" } ] }
AWS KMS permissions
Make sure that the AWS KMS key policy has permissions similar to the following:
{ "Sid": "Allow Macie to use the key", "Effect": "Allow", "Principal": { "Service": "macie.amazonaws.com" }, "Action": [ "kms:GenerateDataKey", "kms:Encrypt" ], "Resource": "*", "Condition": { "StringEquals": { "aws:SourceAccount": "111122223333" }, "ArnLike": { "aws:SourceArn": [ "arn:aws:macie2:Region:111122223333:export-configuration:*", "arn:aws:macie2:Region:111122223333:classification-job/*" ] } } }
For more information, see Troubleshooting errors.
Note: It's a best practice to grant least privileges for only the permissions required to perform a task. For more information, see Grant least privilege.
Related information
Relevant content
- asked a year ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 3 months ago
