IAM kms:GenerateDataKey can not have specific resources according to IAM. This results in a warning and a missing permission.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:DescribeKey"
],
"Resource": [
"arn:aws:kms:<region>:<account_id>:key/<key_id>"
]
},
{
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::<bucket>"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload"
],
"Resource": [
"arn:aws:s3:::<bucket>/*"
]
}
]
}
[2018-03-12 19:08:22.130] Task execution has started.
[2018-03-12 19:08:22.140] Aborted the task because of a task failure or an overlap with your preferred backup window for RDS automated backup.
[2018-03-12 19:08:22.143] User: arn:aws:sts::<account_id>:assumed-role/NativeRDSBackups/RDS-SqlServerBackupRestore is not authorized to perform: kms:GenerateDataKey on resource: arn:aws:kms:us-east-1:<account_id>:key/<key_id>