En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

Unable to access shared customer managed key in my another aws account

0

Hi Team, we are actually trying to share form one our aws account (ACC1) IAM user (juenwei) a customer managed kms key with name (keygenerated-26-10) to the account (ACC2) IAM user (juenwei-dr), both account are part of same organization.

here are the key- policy from juenwei account,

{
    "Version": "2012-10-17",
    "Id": "key-consolepolicy-3",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::ACC1-ID:root",
                    "arn:aws:iam::ACC1-ID:user/juenwei"
                ]
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow access for Key Administrators",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::ACC1-ID:user/juenwei"
            },
            "Action": [
                "kms:Create*",
                "kms:Describe*",
                "kms:Enable*",
                "kms:List*",
                "kms:Put*",
                "kms:Update*",
                "kms:Revoke*",
                "kms:Disable*",
                "kms:Get*",
                "kms:Delete*",
                "kms:TagResource",
                "kms:UntagResource",
                "kms:ScheduleKeyDeletion",
                "kms:CancelKeyDeletion"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::ACC2-ID:root",
                    "arn:aws:iam::ACC2-ID:user/juenwei-dr"
                ]
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow attachment of persistent resources",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::ACC2-ID:root",
                    "arn:aws:iam::ACC2-ID:user/juenwei-dr"
                ]
            },
            "Action": [
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:RevokeGrant"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        }
    ]
}

we have allowed to both root and juenwei-dr user with the access of key. also in juenwei-dr account we have attached a permission to access this kms key from source account here the policy attached,

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowUseOfTheKey",
            "Effect": "Allow",
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": [
                "arn:aws:kms:ap-southeast-1:ACC1-ID:key/4015d80b-24eb-4be6-b856-83054097c95c"
            ]
        },
        {
            "Sid": "AllowAttachmentOfPersistentResources",
            "Effect": "Allow",
            "Action": [
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:RevokeGrant"
            ],
            "Resource": [
                "arn:aws:kms:ap-southeast-1:ACC1-ID:key/4015d80b-24eb-4be6-b856-83054097c95c"
            ],
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": true
                }
            }
        }
    ]
}

even after adding this permissions we are still not able to see the shared key in juenwei-dr acount. requesting you to please look into this isssue, any kind of help or resolution is really appriciated.

Sujets
Sécurité, identité et conformitéGestion et gouvernance
Balises
Service AWS Key ManagementGestion des identités et des accès AWSOrganisations AWSPolitiques IAM
Langue
English
Shriram
demandé il y a 7 mois333 vues
1 réponse
1
Réponse acceptée

Hi,

Please, follow precisely this guidance to implement KMS key sharing across accounts: https://aws.amazon.com/blogs/security/share-custom-encryption-keys-more-securely-between-accounts-by-using-aws-key-management-service/

Best,

Didier

profile pictureAWS
EXPERT
Didier_Durand
répondu il y a 7 mois
profile picture
EXPERT
Gary Mclean
vérifié il y a 2 mois
  • Shriram
    il y a 7 mois

    This document is older one, options has been change in New UI

  • Shriram
    il y a 7 mois

    Seems like, shared key will not be visible in Destination accounts KMS section, we can only use it by its ARN

  • Didier_Durand EXPERT
    il y a 7 mois

    Hi, yes, console views usually display only corresponding resources of the account, not cross-account resources. It is same thing for example with S3, etc. So, yes, you must know the ARN of the resource shared with you. Best, Didier

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents