dev-resources.site
for different kinds of informations.
Resolving AWS Landing Zone KMS Key Configuration Errors
When managing an AWS Landing Zone, there may come a time when you need to enable and add KMS keys to your existing setup. However, this process isn’t always straightforward, and you may encounter errors that prevent successful integration. One common issue arises when insufficient permissions are available to access S3 buckets or KMS keys, resulting in the following error message:
Resource handler returned message: "Invalid request provided: Insufficient permissions to access S3 bucket aws-controltower-logs-xxxx-xxxxx or KMS key arn:aws:kms:xxxxx:xxxxx:key/xxxxxx. (Service: CloudTrail, Status Code: 400, Request ID: b7c8cd8d-b8f0-420a-8815-995b5055f4b4)" (RequestToken: 5847df5c-58b9-1038-e8da-93f74cc57191, HandlerErrorCode: InvalidRequest)
This error typically occurs when trying to enable and add KMS keys to an existing AWS Landing Zone configuration. It highlights that there are insufficient permissions to access the required S3 bucket or KMS key, often due to a misconfigured KMS key policy or incorrect key settings.
Requirements for Configuring KMS Keys for AWS Landing Zone
To ensure smooth integration and avoid the above error, your KMS key must meet the following requirements:
- Enabled: The KMS key must be active and enabled.
- Symmetric: The key should be a symmetric key, as asymmetric keys are not supported for this use case.
- Not a Multi-Region Key: The key should be specific to a single region; multi-region keys are not supported.
- Correct Permissions: The key policy must include the necessary permissions to allow AWS services such as AWS Config and CloudTrail to access the key.
- Key in Management Account: The key must reside in the management account of your AWS Landing Zone.
Steps to Fix the Error
To resolve the error, you’ll need to modify the KMS key policy to grant the required permissions to AWS Config and CloudTrail. Below is an example of a KMS key policy that you can use:
{
"Sid": "AWSConfigCloudTrailKMSPolicy",
"Effect": "Allow",
"Principal": {
"Service": ["config.amazonaws.com", "cloudtrail.amazonaws.com"]
},
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": "<KMS_ARN>"
}
Breakdown of the Key Policy
- “Sid”: “AWSConfigCloudTrailKMSPolicy”: This is the statement ID, used to identify this specific policy statement.
- “Effect”: “Allow”: This grants the permissions specified in the “Action” section.
- “Principal”: Specifies the AWS services that are granted permissions — in this case, AWS Config and CloudTrail.
- “Action”: Lists the KMS actions that these services are allowed to perform. Here, kms:Decrypt allows decryption of data, and kms:GenerateDataKey allows the generation of data keys.
- “Resource”: Specifies the ARN of the KMS key that the policy applies to. Replace with the actual ARN of your KMS key.
Applying the Policy
To apply this policy:
- Navigate to the AWS KMS console.
- Locate the KMS key you intend to use.
- Edit the key policy to include the above JSON block, ensuring you replace with your specific KMS key ARN.
- Save the changes and attempt to re-enable the KMS key for your AWS Landing Zone.
Conclusion
By ensuring that your KMS key is configured correctly with the appropriate permissions, you can prevent the “Insufficient permissions” error and successfully integrate KMS keys into your AWS Landing Zone environment. Properly setting up your key policy not only resolves errors but also strengthens the security and management of your AWS infrastructure.
If you continue to encounter issues, double-check that your key meets all the requirements listed above and that the policy is correctly applied. With these steps, your AWS Landing Zone should be configured seamlessly with the necessary KMS key support.
Featured ones: