# Objects show unscannable with access denied Standard AES-256 and AWS-KMS leveraging `aws/s3` will be read and processed just fine. When using a `Custom KMS ARN` you must give the scanning agent role access to the key in order to process objects within the bucket. This is straight forward to do. You have two options as seen below to enable this. Global KMS Access is favorable because it is one activity to grant access to all keys. Also, in the event of keys being rotated or as new keys come online for additional buckets the solution will automatically be able to leverage them. The KMS access is granted using the `viaService` option within the permissions. This means that the Agent can only use the keys when dealing with S3 buckets and objects. If you'd prefer to grant access on a per-key basis you can follow the second option. ## Global KMS access by default Any product update starting with the 4.04.004 release will automatically turn on Global KMS access. This is a result of it being the default option within the CloudFormation template starting with that release. If you do not want this set, follow the steps below, but select No in the option. {% tabs %} {% tab title="Global KMS Access (limited scope)" %} {% hint style="info" %} In the case of cross-account scanning, in the remote account you would rerun the CloudFormation template and ensure the KMS option is set to Yes much like you'll see below. The steps below walk you through setting up the `primary` account. {% endhint %} 1. Login to the AWS Console and navigate to the CloudFormation service (ensure you are in the appropriate region).

2. Select the stack that represents the initial Console deployment and click the `Update` button (`CloudStorageSec-AV-for-S3` if you kept the default name).

3. Leave the selection as `Use current template` and click the `Next` button.

4. Find the `Allow Access to All KMS Keys` option and change this value as desired (Yes to enable, No to disable). **Leave all other parameters as their current values unless you desire them to change as well.** ![CF Stack Update 3](https://help.cloudstoragesec.com/img/aws-cf-stack-update3.png) 5. Click the `Next` button and on the following screen. 6. Review the stack changes, tick the `I acknowledge` box and click the `Update Stack` button.

{% endtab %} {% tab title="Individual Key Access" %} {% hint style="info" %} In the case of cross-account scanning, in the remote account you would assign the `Custom KMS ARN` to the CloudStorageSecRemoteRole. The steps below walk you through setting up the `primary` account. {% endhint %} 1. Login to the AWS Console and navigate to your Key Management Service.

2. Select the key you are using for encryption on that bucket.

3. Scroll down to `Key Users` and click the `Add` button.

4. Search for the word agent and select the `CloudStorageSecAgentRole-` role.

5. Click the `Add` button and you should now see the following:

{% endtab %} {% endtabs %} You are now all set in regards to processing the encrypted objects within the bucket. You'll need to reprocess the objects that were scanned prior to enabling the key use.