1

I am trying to configure a CloudTrail in a master AWS account and an AWS s3 bucket in a logging account. I've configured the s3 bucket policy in the logging account such that the master account CloudTrail resource has access to write to it. However, when I edit the CloudTrail in the master account I get

The AWS KMS key policy does not grant CloudTrail sufficient access multiple accounts

Expected: After editing the master account Cloudtrail and clicking save the CloudTrail logs from the master account flow to the s3 bucket.

Actual: After editing the master account CloudTrail and clicking save the following error is produced: The AWS KMS key policy does not grant CloudTrail sufficient access

The kms key policy for the master account is configured like so

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "EnableIAMUserPermissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "AllowCloudTrailAccess",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "kms:DescribeKey",
            "Resource": "*"
        },
        {
            "Sid": "AllowCloudTrailToEncryptLogs",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "kms:GenerateDataKey*",
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:master_account_id:trail/*"
                }
            }
        },
        {
            "Sid": "EnableCloudTrailLogDecryptPermissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "kms:ReEncryptFrom",
                "kms:Decrypt"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "kms:CallerAccount": "master_account_id"
                },
                "StringLike": {
                    "kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:master_account_id:trail/*"
                }
            }
        },
        {
            "Sid": "AllowAliasCreationDurningSetup",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "kms:CreateAlias",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "kms:ViaService": "ec2.us-east-1.amazonaws.com",
                    "kms:CallerAccount": "master_account_id"
                }
            }
        },
        {
            "Sid": "EnableCrossAccountLogDecryption",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "kms:ReEncryptFrom",
                "kms:Decrypt"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "kms:CallerAccount": "master_account_id"
                },
                "StringLike": {
                    "kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:master_account_id:trail/*"
                }
            }
        },
        {
            "Sid": "EnableCrossAccountLogDecryption",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "kms:ReEncryptFrom",
                "kms:Decrypt"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "kms:CallerAccount": "logging_account_id"
                },
                "StringLike": {
                    "kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:logging_account_idtrail/*"
                }
            }
        }
    ]
}

The master_account_id is the id of the master AWS account. The logging_account_id is the id of the AWS logging account. How can I troubleshoot this issue?

halfer
  • 19,824
  • 17
  • 99
  • 186
Evan Gertis
  • 1,796
  • 2
  • 25
  • 59
  • This does not look like a KMS key policy related issue because the policy has (in the "Sid": "EnableIAMUserPermissions" section), "Principal": { "AWS": "*" } which is essentially making the key public and I recommend you to restrict to specific accounts . Is the S3 bucket policy properly configured? – sudo Oct 25 '21 at 16:33

1 Answers1

0

This does seem to be an issue with S3 Bucket policy. The error message as "The AWS KMS key policy does not grant CloudTrail sufficient access" is confusing because when you will look at cloudtrail event history you will see something like

"Insufficient permissions to access S3 bucket xyz or KMS key arn:aws:kms:eu-west-1:xyz"

Please have a look at the S3 bucket policy, faced similar issue and got fixed after updating S3 bucket policy

Keval Sheth
  • 1