Knowledge Base Article: Resolving Access Denied Error in N2WS S3 Sync

Knowledge Base Article: Resolving Access Denied Error in N2WS S3 Sync


Issue

When attempting to copy an object between S3 buckets using AWS KMS for encryption, you encounter the following error:

copy failed: s3://atestbucket2022-with-kms/CPM Configurations.pdf to s3://s3sync-cross-account-destination-with-kms/CPM Configurations.pdf An error occurred (AccessDenied) when calling the CopyObject operation: User: arn:aws:sts::123456789123:assumed-role/N2WS_Role_backup/i-00cf8874bfd4c8c0f is not authorized to perform: kms:GenerateDataKey on this resource because the resource does not exist in this Region, no resource-based policies allow access, or a resource-based policy explicitly denies access

Cause

This error occurs because the user or role performing the copy operation does not have the necessary permissions to use the kms:GenerateDataKey action on the specified KMS key. This can happen if the KMS key is not accessible from the target account or if the key is not available in the specified region.

Solution

To resolve this issue, you need to allow access from the target account to the KMS key in the source account. Follow these steps:

  1. Modify the KMS Key Policy:

    • In the AWS Management Console, navigate to the KMS service.
    • Select the customer managed key used for encryption.
    • Under the Key Policy section, add a statement to allow access from the target account.

    Example policy statement:

    {
  "Version": "2012-10-17",
  "Id": "key-policy",
  "Statement": [
    {
      "Sid": "Allow use of the key",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789123:role/N2WS_Role_backup"
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow cross-account access",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::target-account-id:root"
      },
      "Action": [
        "kms:GenerateDataKey",
        "kms:Decrypt"
      ],
      "Resource": "*"
    }
  ]
}

  2. Add the Source Account Under Other AWS Accounts:

    • In the KMS console, go to the Customer managed keys section.
    • Select the relevant key and navigate to the Other AWS accounts tab.
    • Add the source account ID to allow cross-account access.

  3. Verify IAM Role Permissions:

    • Ensure the IAM role N2WS_Role_backup has the necessary permissions to perform the kms:GenerateDataKey action.
    • Example IAM policy:
      {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:GenerateDataKey",
        "kms:Decrypt"
      ],
      "Resource": "arn:aws:kms:region:account-id:key/key-id"
    }
  ]
}

  4. Check Region Configuration:

    • Ensure the KMS key exists in the same region as the S3 buckets involved in the copy operation.

  5. Test the Configuration:

    • After updating the policies, test the copy operation to ensure it completes successfully.

By following these steps, you should be able to resolve the AccessDenied (kms:GenerateDataKey) error and successfully copy objects between S3 buckets using AWS KMS for encryption.