# Linked Account Out of Date

Checking for KMS encryption on buckets was added to the product as of version 4.02.000. During this process we check the bucket attributes for `Custom KMS Encryption`. All buckets in the deployment account (`Primary` by default) will be able to be checked. But, if you have [linked accounts](https://help.cloudstoragesec.com/console-overview/access-management/linked-accounts), the cross-account role that was previously created does not have the permissions needed to perform that check. This will be indicated on the [Bucket Protection](https://help.cloudstoragesec.com/console-overview/protection/aws/protected-buckets) page as a warning message tied to the account nickname (as seen below).

<figure><img src="https://905555942-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlGcQw8I2CHyi1loKBlfi%2Fuploads%2FuOSOXiCYIVrjJLoZgwWw%2Fimage.png?alt=media&#x26;token=20310ce7-53e4-41b3-a84f-493ff250749f" alt=""><figcaption></figcaption></figure>

You will need to update the cross account role. Follow the steps below to update the role. This action should be taken in the linked account, not the deployment account.

1\) Login to the AWS Console and navigate to the CloudFormation service (in the region you originally deployed it in).

<figure><img src="https://905555942-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlGcQw8I2CHyi1loKBlfi%2Fuploads%2FOTdFljksJqNPE5EzzIUa%2Fimage.png?alt=media&#x26;token=75fd8001-44de-4616-81dd-8b070071da00" alt=""><figcaption></figcaption></figure>

2\) Select the stack that represents the Cross Account Role and click the `Update` button as seen below.

<figure><img src="https://905555942-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlGcQw8I2CHyi1loKBlfi%2Fuploads%2Fyub4fBJ5fR7twb8lroIo%2Fimage.png?alt=media&#x26;token=0ceebb15-3bc1-44bb-9b7f-7e92671113f2" alt=""><figcaption></figcaption></figure>

3\) On the `Update stack` page make sure to select `Replace current template` and then provide the cross account role stack URL in the field as indicated below. Then click the `Next` button.

```
https://css-cft.s3.amazonaws.com/LinkedAccountCloudFormationTemplate.yaml
```

<figure><img src="https://905555942-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlGcQw8I2CHyi1loKBlfi%2Fuploads%2FxxgKEMKr9pwVDR0WCeST%2Fimage.png?alt=media&#x26;token=ca2a44d3-9100-4c21-91cd-e99cfc8cf675" alt=""><figcaption></figcaption></figure>

4\) Leave the parameters as they were on the `Specify stack details` page and simply click `Next`.

<figure><img src="https://905555942-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlGcQw8I2CHyi1loKBlfi%2Fuploads%2FLFhBEiRfqonnkKZMsB9m%2Fimage.png?alt=media&#x26;token=fde52f00-44cb-40dd-bf16-f12809bbfd5b" alt=""><figcaption></figcaption></figure>

5\) Click `Next` on the `Configure stack options` page.

6\) Tick the `I acknowledge ...` box and click `Update Stack`.

<figure><img src="https://905555942-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlGcQw8I2CHyi1loKBlfi%2Fuploads%2Fvw6ZenOP9RmDcpnpydM0%2Fimage.png?alt=media&#x26;token=e2248616-34bb-43b5-9529-b914113d735d" alt=""><figcaption></figcaption></figure>

7\) It won't take long to complete the update.

<figure><img src="https://905555942-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlGcQw8I2CHyi1loKBlfi%2Fuploads%2FDBoSgxLzjRkv74DcW0GQ%2Fimage.png?alt=media&#x26;token=4a0d7c4c-c89e-4b2e-b63a-83ab9b89d250" alt=""><figcaption></figcaption></figure>

8\) It won't take long to complete the update. Once done you can navigate back to the Bucket Protection page and `refresh` the list of the buckets to see the warning disappear and determine the KMS status of your remote buckets.

<figure><img src="https://905555942-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlGcQw8I2CHyi1loKBlfi%2Fuploads%2FMSIeIjMZbkQrGdX6FtWK%2Fimage.png?alt=media&#x26;token=ed31ef0a-4b34-4ba1-9146-8ec2c22dd0a4" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.cloudstoragesec.com/trouble-shooting/linked-account-out-of-date.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.