<h1 id="sharing-cmks-across-accounts">Sharing CMKs across accounts<a aria-hidden="true" class="anchor-heading icon-link" href="#sharing-cmks-across-accounts"></a></h1>
<a href="/notes/cbb16e7d-757c-49a4-bdc7-0e9637d924a6">IAM</a> policy can be used to allow sharing a <abbr title="Customer Master Key">CMK</abbr> between <abbr title="Amazon Web Services">AWS</abbr> accounts.
Add a key policy to the <abbr title="Customer Master Key">CMK</abbr>:
<pre class="language-json"><code class="language-json">{
 "Sid": "Allow an external account to use this CMK",
 "Effect": "Allow",
 "Principal": {
 "AWS": [
 // Allow access to the entire account
 "arn:aws:iam::444455556666:root",

 // ...or just specific roles and users
 "arn:aws:iam::444455556666:role/ExampleRole",
 "arn:aws:iam::444455556666:user/ExampleUser"
 ]
 },
 "Action": [
 "kms:Encrypt",
 "kms:Decrypt",
 "kms:ReEncrypt*",
 "kms:GenerateDataKey*",
 "kms:DescribeKey"
 ],
 "Resource": "*"
}
</code></pre>
In the consuming account, delegate access to the <abbr title="Customer Master Key">CMK</abbr>:
<pre class="language-json"><code class="language-json">{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Sid": "AllowUseOfCMKInAccount111122223333",
 "Effect": "Allow",
 "Action": [
 "kms:Encrypt",
 "kms:Decrypt",
 "kms:ReEncrypt*",
 "kms:GenerateDataKey*",
 "kms:DescribeKey"
 ],
 "Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
 }
 ]
}
</code></pre>

Sharing CMKs across accounts


![Digital brain](assets/images/logo.svg){display: block, margin: 0 auto, max-height: 50vh}

Hi, I'm Luke 👋

I'm a software engineer turned site reliability engineer. I'm currently big on knowledge management and learning.

# Find me elsewhere

- [👨‍💻 DEV](https://dev.to/lukecarrier)
- [🚢 GitHub](https://github.com/LukeCarrier)
- [👔 LinkedIn](https://www.linkedin.com/in/lukecarrier/)
- [📄 Résumé](https://github.com/LukeCarrier/resume)
