Macie and KMS Encryption Keys

In order for Amazon Macie to correctly scan an object in your S3 bucket that is encrypted with a customer managed KMS key, the Macie service role needs to be given permssion to use the key. The Confidential bucket in the workshop is encrypted with a KMS key and the correct permissions have been assigned to the key to provide you with an example.

You can read the documentation for Macie supported encryption types for more information.

View the permissions for the KMS keys in this workshop in the KMS Console. Look for the key alias MacieWorkshop-Env-Setup-confidential-bucket-encryption-key.

The JSON policy that has been applied to the CMK-KMS key is shown below for your information. <Account Number> will be the account number of the account you are using.

        {
            "Sid": "Allow Macie Service Role to use the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<ACCOUNT NUMBER>:role/aws-service-role/macie.amazonaws.com/AWSServiceRoleForAmazonMacie"
            },
            "Action": [
                "kms:DescribeKey",
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey"
            ],
            "Resource": "*"
        }