How can I fix Kinesis Data Firehose's "Access Denied" problem while publishing to an Amazon S3 bucket?

 I'm attempting to write data encrypted by AWS Key Management Service from Amazon Kinesis Data Firehose to an Amazon Simple Storage Service (Amazon S3) bucket (AWS KMS). But I keep getting "Access Denied" errors. How can I fix this?

Resolution

Follow these procedures to fix the "Access Denied" issue notice in Kinesis Data Firehose:

1. Launch the AWS KMS interface.

2. Select the KMS key that is presently being applied to your S3 bucket's encryption.

3. Select Change to policy view.

4. Verify that you have the necessary KMS key policy permissions. You can encrypt data that is written to your S3 bucket if you have the proper access.

5.    Update your policy, granting Kinesis Data Firehose access to the KMS key:

{
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<account-ID>:role/<FirehoseRole>"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "<ARN of the KMS key>"
}

Be sure to specify the Amazon Resource Name (ARN) of the KMS key that encrypted your S3 bucket.

6.    Choose Save.

You can also resolve the "Access Denied" error message without modifying the policy. To resolve the error message, perform the following steps:

1.    Open the AWS KMS console.

2.    Choose the KMS key that is currently being used to encrypt your S3 bucket.

3.    In the Key users section, choose Add.

4.    Select your Kinesis Data Firehose role.

5.    Choose Add. You now have the proper permissions to write data from Kinesis Data Firehose to the encrypted S3 bucket.