We just started using Amazon Macie and we're having an issue when creating the bucket to keep findings for longer than 90 days.
The error we get is:
putClassificationExportConfiguration: The operation can't be performed because you're not authorized to access the S3 bucket, the KMS key, or both.
We're using AWS SSO for connecting to the console and my user has Administrator rights, effectively * in resources and * in actions when I look at my IAM policy configuration.
The S3 bucket policy is:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Deny non-HTTPS access",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::macie-investigations/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},
{
"Sid": "Deny incorrect encryption header. This is optional",
"Effect": "Deny",
"Principal": {
"Service": "macie.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::macie-investigations/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:eu-west-1:accountid:key/keynumber"
}
}
},
{
"Sid": "Deny unencrypted object uploads. This is optional",
"Effect": "Deny",
"Principal": {
"Service": "macie.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::macie-investigations/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "aws:kms"
}
}
},
{
"Sid": "Allow Macie to upload objects to the bucket",
"Effect": "Allow",
"Principal": {
"Service": "macie.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::macie-investigations/*"
},
{
"Sid": "Allow Macie to use the getBucketLocation operation",
"Effect": "Allow",
"Principal": {
"Service": "macie.amazonaws.com"
},
"Action": "s3:GetBucketLocation",
"Resource": "arn:aws:s3:::macie-investigations"
}
]
}
And this is the policy for the symmetric key we've created:
{
"Sid": "Allow Macie to use the key",
"Effect": "Allow",
"Principal": {
"Service": "macie.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey",
"kms:Encrypt"
],
"Resource": "*"
}
The kms key have allowed my role and macie's role as admin configuration as well as usage configuration as seen here:
{
"Id": "key-consolepolicy-3",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::accountid:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::accountid:role/aws-reserved/sso.amazonaws.com/eu-west-1/AWSReservedSSO_admin",
"arn:aws:iam::accountid:user/username"
]
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::accountid:role/aws-service-role/macie.amazonaws.com/AWSServiceRoleForAmazonMacie",
"arn:aws:iam::accountid:role/aws-reserved/sso.amazonaws.com/eu-west-1/AWSReservedSSO_admin",
"arn:aws:iam::accountid:user/username"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::accountid:role/aws-service-role/macie.amazonaws.com/AWSServiceRoleForAmazonMacie",
"arn:aws:iam::accountid:role/aws-reserved/sso.amazonaws.com/eu-west-1/AWSReservedSSO_admin",
"arn:aws:iam::accountid:user/username"
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
We have tried to create an IAM user with specific: macie2:PutClassificationExportConfiguration to not avail.
Creating a new bucket, both public or private, also to not avail. We've also tried to add our admin user in the bucket policy explicitly and grant all permissions to macie service in the policy, also to not avail. We always get the same error. Buckets are in the same region and account than the key.
The only thing that comes from a different account is the AWS SSO managed roles, which are for the master account within the organization.
Does anyone have any idea where is the missing link that we're obviously not realizing where to look for?
Thanks a lot for your help!
The created key in KMS was missing the following in the policy:
{
"Sid": "Allow Macie to use the key",
"Effect": "Allow",
"Principal": {
"Service": "macie.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey",
"kms:Encrypt"
],
"Resource": "*"
}