I'm trying to configure AWS Athena in the account A to query a dataset in account B. I updated the S3 bucket policy in account A to enforce secure transport and allow access from a specific IAM principal. I also updated the IAM policy in account B to include permissions for Athena, Glue, and S3 access.
However, when trying to query account A in account B, I get the following error:
An error has been thrown from the AWS Athena client. com.amazonaws.services.s3.model.AmazonS3Exception: Key 'arn:aws:kms:us-east-2:XXXXXXXXXXXX:key/XXXXXXXXXXXXX' does not exist (Service: Amazon S3; Status Code: 400; Error Code: KMS.NotFoundException; Request ID: XXXXXXXXXX; S3 Extended Request ID: XXXXXXXXX=; Proxy: null), S3 Extended Request ID: XXXXXXXXX
From what I can tell, the error references a KMS key that exists in a third AWS account (Sandbox), but the error appears when trying to query the dataset in Account A (Beta) from Account B (QA). This suggests that cross-account KMS access might not be properly set up.
What I've Checked So Far:
The IAM policy role in Account B includes permissions for S3, Glue, and Athena.
The S3 bucket policy in Account A correctly enforces secure transport and grants access to the necessary IAM principal.
The KMS key in question is in a different AWS account (account A), and it's possible that cross-account access is missing.
Question:
How can I enable cross-account KMS access so that Athena in Account B can read from S3 in Account A, where the KMS key is managed?
Would updating the KMS key policy in Sandbox to allow decryption from the IAM role in QA resolve this? Any other settings I should check?
I'm trying to configure AWS Athena in the account A to query a dataset in account B. I updated the S3 bucket policy in account A to enforce secure transport and allow access from a specific IAM principal. I also updated the IAM policy in account B to include permissions for Athena, Glue, and S3 access.
However, when trying to query account A in account B, I get the following error:
An error has been thrown from the AWS Athena client. com.amazonaws.services.s3.model.AmazonS3Exception: Key 'arn:aws:kms:us-east-2:XXXXXXXXXXXX:key/XXXXXXXXXXXXX' does not exist (Service: Amazon S3; Status Code: 400; Error Code: KMS.NotFoundException; Request ID: XXXXXXXXXX; S3 Extended Request ID: XXXXXXXXX=; Proxy: null), S3 Extended Request ID: XXXXXXXXX
From what I can tell, the error references a KMS key that exists in a third AWS account (Sandbox), but the error appears when trying to query the dataset in Account A (Beta) from Account B (QA). This suggests that cross-account KMS access might not be properly set up.
What I've Checked So Far:
The IAM policy role in Account B includes permissions for S3, Glue, and Athena.
The S3 bucket policy in Account A correctly enforces secure transport and grants access to the necessary IAM principal.
The KMS key in question is in a different AWS account (account A), and it's possible that cross-account access is missing.
Question:
How can I enable cross-account KMS access so that Athena in Account B can read from S3 in Account A, where the KMS key is managed?
Would updating the KMS key policy in Sandbox to allow decryption from the IAM role in QA resolve this? Any other settings I should check?
Share Improve this question asked Mar 31 at 22:40 jipotjipot 943 gold badges14 silver badges44 bronze badges1 Answer
Reset to default 1How can I enable cross-account KMS access so that Athena in Account B can read from S3 in Account A, where the KMS key is managed?
You need to add a statement to your key policy in account A to allow your IAM principal in account B to decrypt using the key.
{
"Sid": "role-xxxx decrypt",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account-b>:role/role-xxxx"
},
"Action": "kms:Decrypt",
"Resource": "*"
}
Then you also need to add the decrypt permission to the identity policy of the principal accessing the bucket:
{
"Sid": "decrypt",
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "arn:aws:kms:<region>:<account-a>:key/<key-id>"
}
You can confirm the key used for bucket level encryption with aws s3api get-bucket-encryption --bucket <bucket-name> or for a specific object with aws s3api head-object --bucket <bucket-name> --key <key>.
Would updating the KMS key policy in Sandbox to allow decryption from the IAM role in QA resolve this? Any other settings I should check?
You also need to add to the identity policy but yeah, for a principal to read an S3 object encrypted with a KMS key, they need read access to that object and decrypt permission on the key. So if you add these permissions to the correct principal, for the correct key, then all should work. The only other thing to check that I can think of is if the key is in another region, then you'll need a multi-region key with a replica in your region.