Cloud Storage Security Help Docs
Need live support? Join our office hoursRelease NotesPolicies
Search
⌃K
Links

Objects show unscannable with access denied

This issue is seen when the customer is using AWS-KMS with a Custom KMS for encryption on the bucket.
Standard AES-256 and AWS-KMS leveraging aws/s3 will be read and processed just fine. When using a Custom KMS ARN you must give the scanning agent role access to the key in order to process objects within the bucket. This is straight forward to do.
You have two options as seen below to enable this. Global KMS Access is favorable because it is one activity to grant access to all keys. Also, in the event of keys being rotated or as new keys come online for additional buckets the solution will automatically be able to leverage them. The KMS access is granted using the viaService option within the permissions. This means that the Agent can only use the keys when dealing with S3 buckets and objects. If you'd prefer to grant access on a per-key basis you can follow the second option.

Global KMS access by default

Any product update starting with the 4.04.004 release will automatically turn on Global KMS access. This is a result of it being the default option within the CloudFormation template starting with that release. If you do not want this set, follow the steps below, but select No in the option.
Global KMS Access (limited scope)
Individual Key Access
In the case of cross-account scanning, in the remote account you would rerun the CloudFormation template and ensure the KMS option is set to Yes much like you'll see below.
The steps below walk you through setting up the primary account.
  1. 1.
    Login to the AWS Console and navigate to the CloudFormation service (ensure you are in the appropriate region).
  2. 2.
    Select the stack that represents the initial Console deployment and click the Update button (CloudStorageSec-AV-for-S3 if you kept the default name).
  3. 3.
    Leave the selection as Use current template and click the Next button.
  4. 4.
    Find the Allow Access to All KMS Keys option and change this value as desired (Yes to enable, No to disable). Leave all other parameters as their current values unless you desire them to change as well.
    CF Stack Update 3
  5. 5.
    Click the Next button and on the following screen.
  6. 6.
    Review the stack changes, tick the I acknowledge box and click the Update Stack button.
In the case of cross-account scanning, in the remote account you would assign the Custom KMS ARN to the CloudStorageSecRemoteRole.
The steps below walk you through setting up the primary account.
  1. 1.
    Login to the AWS Console and navigate to your Key Management Service.
  2. 2.
    Select the key you are using for encryption on that bucket.
  3. 3.
    Scroll down to Key Users and click the Add button.
  4. 4.
    Search for the word agent and select the CloudStorageSecAgentRole-<appID> role.
  5. 5.
    Click the Add button and you should now see the following:
You are now all set in regards to processing the encrypted objects within the bucket. You'll need to reprocess the objects that were scanned prior to enabling the key use.
Previous
Modifying scaling info post-deployment
Next
Remote account objects not scanning
Last modified 3mo ago