Comment on page
Objects show unscannable with access denied
This issue is seen when the customer is using AWS-KMS with a Custom KMS for encryption on the bucket.
Standard AES-256 and AWS-KMS leveraging
aws/s3
will be read and processed just fine. When using a Custom KMS ARN
you must give the scanning agent role access to the key in order to process objects within the bucket. This is straight forward to do.You have two options as seen below to enable this. Global KMS Access is favorable because it is one activity to grant access to all keys. Also, in the event of keys being rotated or as new keys come online for additional buckets the solution will automatically be able to leverage them. The KMS access is granted using the
viaService
option within the permissions. This means that the Agent can only use the keys when dealing with S3 buckets and objects. If you'd prefer to grant access on a per-key basis you can follow the second option.Any product update starting with the 4.04.004 release will automatically turn on Global KMS access. This is a result of it being the default option within the CloudFormation template starting with that release. If you do not want this set, follow the steps below, but select No in the option.
Global KMS Access (limited scope)
Individual Key Access
In the case of cross-account scanning, in the remote account you would rerun the CloudFormation template and ensure the KMS option is set to Yes much like you'll see below.
The steps below walk you through setting up the
primary
account.
- 1.Login to the AWS Console and navigate to the CloudFormation service (ensure you are in the appropriate region).
- 2.Select the stack that represents the initial Console deployment and click the
Update
button (CloudStorageSec-AV-for-S3
if you kept the default name). - 3.Leave the selection as
Use current template
and click theNext
button. - 4.Find the
Allow Access to All KMS Keys
option and change this value as desired (Yes to enable, No to disable). Leave all other parameters as their current values unless you desire them to change as well.CF Stack Update 3 - 5.Click the
Next
button and on the following screen. - 6.Review the stack changes, tick the
I acknowledge
box and click theUpdate Stack
button.
In the case of cross-account scanning, in the remote account you would assign the
Custom KMS ARN
to the CloudStorageSecRemoteRole.The steps below walk you through setting up the
primary
account.
- 1.Login to the AWS Console and navigate to your Key Management Service.
- 2.Select the key you are using for encryption on that bucket.
- 3.Scroll down to
Key Users
and click theAdd
button. - 4.Search for the word agent and select the
CloudStorageSecAgentRole-<appID>
role. - 5.Click the
Add
button and you should now see the following:
You are now all set in regards to processing the encrypted objects within the bucket. You'll need to reprocess the objects that were scanned prior to enabling the key use.