I have an encrypted s3 bucket
I want to give another account access to this bucket
Normally I would just do this:
{
"Sid":"get",
"Effect":"Allow",
"Principal":{
"AWS":"arn:aws:iam::99999999999:root"
},
"Action":[
"s3:Get*",
],
"Resource":[
"arn:aws:s3:::my-bucket/*",
]
},
But this bucket is encrypted and they get this error:
upload failed: ./test to s3://my-bucket/test An error occurred (KMS.NotFoundException) when calling the PutObject operation: Key 'arn:aws:kms:us-east-1:99999999999:key/blahbalbhablhalbhalbh' does not exist
Looks like they need KMS access? I can give their account access to the kms key with the kms policy and that will fix it? If so I need to create a custom key to edit the policy right? I want to assign their account ID access to the encrypted bucket directly
You’re on the right path! You need to create a customer managed KMS key (CMK) and update the KMS key policy to use the key for decryption. Use that encryption key when you put items in the bucket. Make sure the KMS policy is least privilege!