Problem description
When you replicate data across accounts, the Key Management Service (KMS) key used in the destination region does not grant the GenerateDataKey permission to the role that you authorize OSS to use to replicate data by using a key policy, or the KMS key in the data replication rule does not exist.
Causes
You have initiated a cross-account PutBucketReplication request, but the KMS key used in the destination region does not grant the GenerateDataKey permission to the role that you authorize OSS to use to replicate data by using a key policy, or the KMS key in the data replication rule does not exist.
Solutions
Check whether the value of the ReplicaKmsKeyID parameter in the cross-account PutBucketReplication request is valid. If the value is valid, configure a key policy for a cross-account user.