I am trying to put a text file from Lambda which is in Account A to S3 bucket in account B. S3 bucket(test-bucket) is having AWS-KMS encryption enabled. I added below permissions :
Added below bucket policy to S3 bucket in Account B:
{"Version": "2012-10-17", "Id": "ExamplePolicy", "Statement": [ { "Sid": "ExampleStmt", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::AccountA:role/Lambda-Role" }, "Action": "s3:*", "Resource": "arn:aws:s3:::test-bucket/*" } ]}
Added below policy in KMS key:
"Version": "2012-10-17", "Id": "key-default-1", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::AccountB:root" }, "Action": "kms:*", "Resource": "*" }, { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::AccountA:role/Lambda-Role" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" } ]}
Added below Inline policy in Account A - Lambda Role and gave access to KMS key:
{"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey",
"kms:DescribeKey",
"kms:ReEncrypt*"
],
"Resource": [
"arn:aws:kms:us-west-2:AccountB:key/KMS-ID"
]
}
]
}
Files are also uploading in Account B S3 Bucket but not able to view/download any of those files. Gets this error:
<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>5H3KEXCJ7YSCJS</RequestId>
<HostId>hqwavZZo6D0asdddcvfff+prEtoBCwTFH0AYtzzzzzztqAaPflzs85aaaaa=</HostId>
</Error>
When I checks the file properties it has : Server-side encryption- Access denied. Don't know what am I missing here. Someone please guide.
