# Linked Account Out of Date
Checking for KMS encryption on buckets was added to the product as of version 4.02.000. During this process we check the bucket attributes for `Custom KMS Encryption`. All buckets in the deployment account (`Primary` by default) will be able to be checked. But, if you have [linked accounts](https://help.cloudstoragesec.com/console-overview/access-management/linked-accounts), the cross-account role that was previously created does not have the permissions needed to perform that check. This will be indicated on the [Bucket Protection](https://help.cloudstoragesec.com/console-overview/protection/aws/protected-buckets) page as a warning message tied to the account nickname (as seen below).
You will need to update the cross account role. Follow the steps below to update the role. This action should be taken in the linked account, not the deployment account.
1\) Login to the AWS Console and navigate to the CloudFormation service (in the region you originally deployed it in).
2\) Select the stack that represents the Cross Account Role and click the `Update` button as seen below.
3\) On the `Update stack` page make sure to select `Replace current template` and then provide the cross account role stack URL in the field as indicated below. Then click the `Next` button.
```
https://css-cft.s3.amazonaws.com/LinkedAccountCloudFormationTemplate.yaml
```
4\) Leave the parameters as they were on the `Specify stack details` page and simply click `Next`.
5\) Click `Next` on the `Configure stack options` page.
6\) Tick the `I acknowledge ...` box and click `Update Stack`.
7\) It won't take long to complete the update.
8\) It won't take long to complete the update. Once done you can navigate back to the Bucket Protection page and `refresh` the list of the buckets to see the warning disappear and determine the KMS status of your remote buckets.
