Sharing CMKs across accounts
IAM policy can be used to allow sharing a CMK between AWS accounts.
Add a key policy to the CMK:
{
"Sid": "Allow an external account to use this CMK",
"Effect": "Allow",
"Principal": {
"AWS": [
// Allow access to the entire account
"arn:aws:iam::444455556666:root",
// ...or just specific roles and users
"arn:aws:iam::444455556666:role/ExampleRole",
"arn:aws:iam::444455556666:user/ExampleUser"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
In the consuming account, delegate access to the CMK:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUseOfCMKInAccount111122223333",
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
]
}