Example in CPM backup log:
10-24-18 10:11:04 - Error - Volume DR copy snapshot failed for region US
East (N. Virginia), snapshot snap-11111111111111111 (to DR account). Reason:
Failed adding share permission to snapshot snap-11111111111111111 (original
volume: vol-22222222222222222). Reason: Not authorized to use key arn:aws:kms:us-east-1:1234567890ab:key/ba1234567890-1234-5678-283746163517
Example from AWS CloudTrail JSON log:
This is an example of the error on the ReEncrypt operation
User: arn:aws:sts::444996954394:assumed-role/CPM-Service-Backups-Role/CPM-assumed-prod
is not authorized to perform: kms:ReEncryptFrom on resource: arn:aws:kms:us-east-1:1234567890ab:key/ba1234567890-1234-5678-283746163517
This is an example of the error on the ModifySnapshotAttribute operation
Not authorized to use key arn:aws:kms:us-east-1:1234567890ab:key/ba1234567890-1234-5678-283746163517
The user
identity is not going to be listed in the CloudTrail “errorMessage” attribute
in the example above, you will need to
look for the “userIdentity/arn” attribute to find the user identity.
Cause: This
is caused by the user/role not being listed as a “key user” for that key.
Solution: Add
this user/role as a “key user” for that key.