Linked Account Out of Date
If your linked account is out of date, follow the steps below.
Checking for KMS encryption on buckets was added to the product as of version 4.02.000. During this process we check the bucket attributes for
Custom KMS Encryption. All buckets in the deployment account (
Primaryby default) will be able to be checked. But, if you have linked accounts, the cross-account role that was previously created does not have the permissions needed to perform that check. This will be indicated on the Bucket Protection page as a warning message tied to the account nickname (as seen below).
You will need to update the cross account role. Follow the steps below to update the role. This action should be taken in the linked account, not the deployment account.
1) Login to the AWS Console and navigate to the CloudFormation service (in the region you originally deployed it in).
2) Select the stack that represents the Cross Account Role and click the
Updatebutton as seen below.
3) On the
Update stackpage make sure to select
Replace current templateand then provide the cross account role stack URL in the field as indicated below. Then click the
4) Leave the parameters as they were on the
Specify stack detailspage and simply click
Configure stack optionspage.
6) Tick the
I acknowledge ...box and click
7) It won't take long to complete the update.
8) It won't take long to complete the update. Once done you can navigate back to the Bucket Protection page and
refreshthe list of the buckets to see the warning disappear and determine the KMS status of your remote buckets.