Troubleshoot SSE-KMS with VPC Endpoint Errors
If Data 360 fails to retrieve encrypted objects after you apply VPC endpoint or KMS policies, use this table to identify and resolve common issues.
| Symptom | Likely Cause | Resolution |
|---|---|---|
AccessDenied or KMS.AccessDeniedException on encrypted object retrieval after adding VPC restrictions | aws:SourceVpce or aws:SourceVpc condition added to the KMS key policy | Remove the VPC condition from your KMS key policy. Apply it to your S3 bucket policy as a Deny statement scoped to the Data 360 IAM user with your VPCE ID. |
| Retrieval works without VPC restriction but fails after security hardening | Security team added VPC restrictions to both bucket and KMS policies | Check your KMS key policy for VPC conditions and remove them. Verify that your bucket policy has a Deny statement for the Data 360 IAM user with the VPCE condition. |
| Intermittent access failures after a policy change | IAM policy propagation delay or cached credentials | Wait 5–10 minutes for policy changes to propagate, then retry. Verify all three policies (bucket, KMS, IAM) are consistent. |
AccessDenied even though the VPC condition is only on the bucket policy | The Data 360 IAM user lacks S3 permissions or KMS decrypt access | Verify that the IAM user has S3 access (via bucket policy Allow or identity-based policy) and that the KMS key policy grants decrypt access to the IAM user's ARN. |
Access works but kms:ViaService condition is missing from key policy | KMS key policy is overly permissive | Add the kms:ViaService condition to restrict KMS access to S3 service calls only. This condition tightens your security posture. |