SSM run command output doesn't work with cross-account KMS keys

[Eelviny]

Here to report a bug!

In my setup, I wish to collect the logs of Run Command into an S3 bucket that is in a central Log Archive AWS account. We have requirements that everything must be encrypted at rest. The S3 bucket in this account has a KMS key in the same account set as the default encryption.

1. Do an SSM Run Command, and specify that the log output should go to this S3 bucket
2. The command completes successfully but no logs are placed into the bucket
3. Looking at the error logs, I see an error stating that the KMS Key was not found

This happens because the agent performs a S3 GetBucketEncryption API call to find the key, and this call responds only with the KMS Key ID. The agent then assumes that the key is within its own account, but the key exists in the Log Archive account.

I understand why this is happening - to target the right account, the agent needs to know the ARN of the key, not the ID. Maybe it can fallback and find the account owner of the S3 bucket, and try that as a second option?

[okonos]

Works fine when the S3 bucket's server side encryption configuration has the KMS key ARN specified instead of plain ID.