Support Center > Search Results > SecureKnowledge Details
CloudGuard cannot pull Metadata from some AWS KMS keys Technical Level
  • AWS KMS key cannot synchronize with CloudGuard, and CloudGuard does not pull all or some of the key's metadata
  • Users get the error "kms:getKeyRotationStatus": Denied. 

AWS permission blocks CloudGuard access to Key Management Service (KMS) metadata.

This usually happens with keys created with an automation tool, such as StackSet. 

The role below was created with a KMS using StackSet. This role does not have the required permissions to synchronize with CloudGuard. As a result, the CloudGuard role cannot retrieve information and fails.

            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789:role/this/is/example"
            "Action": [

The correct IAM entity must have the key policy that allows the root and therefore every IAM entity to access the key. This way you can properly synchronize with CloudGuard.

            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789:root"
            "Action": "kms:*",
            "Resource": "*"

Note: To view this solution you need to Sign In .