Checking for KMS encryption on buckets was added to the product as of version 4.02.000. During this process we check the bucket attributes for Custom KMS Encryption. All buckets in the deployment account (Primary by default) will be able to be checked. But, if you have linked accounts, the cross-account role that was previously created does not have the permissions needed to perform that check. This will be indicated on the Bucket Protection page as a warning message tied to the account nickname (as seen below).

You will need to update the cross account role. Follow the steps below to update the role. This action should be taken in the linked account, not the deployment account.

1) Login to the AWS Console and navigate to the CloudFormation service (in the region you originally deployed it in).

2) Select the stack that represents the Cross Account Role and click the Update button as seen below.

3) On the Update stack page make sure to select Replace current template and then provide the cross account role stack URL in the field as indicated below. Then click the Next button.

https://css-cft.s3.amazonaws.com/LinkedAccountCloudFormationTemplate.yaml

4) Leave the parameters as they were on the Specify stack details page and simply click Next.

5) Click Next on the Configure stack options page.

6) Tick the I acknowledge ... box and click Update Stack.

7) It won't take long to complete the update.

8) It won't take long to complete the update. Once done you can navigate back to the Bucket Protection page and refresh the list of the buckets to see the warning disappear and determine the KMS status of your remote buckets.