KMS policy does not allow key to be used with s3
bwmetcalf opened this issue · comments
Describe the Bug
The policy attached to generated key does not allow the key to be used to access s3 objects encrypted with said key. When trying to access an s3 object, an access denied error is generated.
Expected Behavior
The key policy should include at minimum
"kms:Decrypt*",
"kms:GenerateDataKey*"
Adding these actions fixes the issue.
