Bugs That Bite
Published in

Bugs That Bite

(AccessDeniedException) when calling the PutParameter operation: null (Service: AWSKMS …)

If you’re trying to set a parameter value in AWS Systems Manager Parameter Store you might get this error:

An error occurred (AccessDeniedException) when calling the PutParameter operation: null (Service: AWSKMS; Status Code: 400; Error Code: AccessDeniedException; Request ID: xxxxxx; Proxy: null)

You can see the service “AWSKMS” here which indicates that the error is coming from KMS, even though you’re making a call to AWS Systems Manager Parameter Store.

THANK YOU to whomever is adding this very helpful information.

In this case you must be trying to store a parameter of type SecretString and passing in a KMS key id. In order to use that KMS key you need two things:

  1. Permission to use the KMS service in AWS IAM.
  2. Permission to use that specific key in the resource policy attached to that key.

In this case you likely don’t have #2. Navigate to KMS, click on your key, and add a policy that allows you to encrypt data with that key.

Fix: It would be nice to add the principal, key ID, the missing permission (encrypt, decrypt, etc.), and the policy that is missing permissions (like resource policy for KMS Key ID: xyz.

If this helped you or you had this problem, please clap!

Teri Radichel — Follow me:

Medium: Teri Radichel or Email List: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests services via LinkedIn: Teri Radichel or IANS Research

© 2nd Sight Lab 2022


About this blog:

Want to learn more about Cybersecurity and Cloud Security? Check out: Cybersecurity for Executives in the Age of Cloud on Amazon

Need Cloud Security Training? 2nd Sight Lab Cloud Security Training

Is your cloud secure? Hire 2nd Sight Lab for a penetration test or security assessment.

Have a Cybersecurity or Cloud Security Question? Ask Teri Radichel by scheduling a call with IANS Research.

Cybersecurity & Cloud Security Resources by Teri Radichel: Cybersecurity and Cloud security classes, articles, white papers, presentations, and podcasts



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Teri Radichel

Teri Radichel

Cloud Security Training and Penetration Testing | GSE, GSEC, GCIH, GCIA, GCPM, GCCC, GREM, GPEN, GXPN | AWS Hero | Infragard | IANS Faculty | 2ndSightLab.com