Background
I am working on a task to generate AWS QuickSight report in Account B from AWS Systems Manager Inventory data in the Account A S3 bucket (s3 sync).
I have successfully added all the resource sync data in to cross account (Account A) S3 bucket using SSM resource data sync. Bucket is encrypted using AWS-KMS key (key is located in Account A) and same key has been used in resource data sync in the all accounts to add data in cross account bucket.
Moreover, I am using Athena in Account B to create sample database and schemas from S3 Sync data.
Problem
Athena can create successfully database and schemas in Account B and also add metadata from Account B to Account A S3 bucket. It keeps showing access denied when I am trying to see "preview table".
Error
Your query has the following error(s):
com.amazonaws.services.s3.model.AmazonS3Exception: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: 3F5896D43C82733B; S3 Extended Request ID (Path: s3://bucket/AWS:Application/accountid=../region=us-east-1/resourcetype=ManagedInstanceInventory/i-..json)
Athena and QuickSight are working in the account where bucket and key are located, but I am want to keep bucket in different account.
I am trying to implement Best practices for patching your AWS and hybrid environment, but with different account and with KMS key.
I have followed all the document about Athena cross-account access with KMS but no luck. Also added decrypt IAM policy to QuickSight Service role.
My IAM role has full admin access. It uses assume role.
Can someone guide me on this issue? Thank you.
