2. Choose Customer managed keys, and then select the appropriate key.
3. Under Key policy, scroll to Key users. Verify that the Key users section lists all internal and external accounts and users that require access to the key.
4. If any accounts or users are missing from the Key users section, then under Key Policy, choose Switch to policy view. Note: If you manually edited the AWS KMS key policy at any point, then the key policy is available only in policy (JSON) view.
5. Verify that the Allow use of the key statement in the key policy is correct. The statement must include the ARN of all accounts and users who require access to the key.
The following is an example snippet of the Allow use of the key statement in the default key policy. The example includes the following ARNs:
The external AWS account that contains the copied AMI.
Create the IAM policy and attach it to your IAM user or group
To create an IAM policy and attach it to your IAM user or group, complete the following steps:
Note: If you already created an IAM policy, then proceed to step 7 to attach the policy.
1. Open to the IAM console with your user that has administrator permissions.
2. Choose Policies.
3. Choose Create policy.
4. Choose the JSON tab. Copy the following example JSON policy, and then enter it into the JSON text box. Replace arn:aws:kms:REGION:MAINACCOUNTNUMBER:key/1a345678-1234-1234-1234-EXAMPLE with the ARN of your AWS KMS key.
5. Choose Review policy. The Policy Validator reports any syntax errors.
6. On the Review page, enter KmsKeyUsagePolicy for the policy name. Review the policy summary to see the permissions that your policy grants, and then choose Create policy to save the policy. The new policy appears in the list of managed policies and is ready to attach to your IAM user or group.
7. In the navigation pane of the IAM console, choose Policies.
8. In the search box, enter KmsKeyUsagePolicy. Then, check the box that's next to KmsKeyUsagePolicy.
9. Choose Policy actions, and then choose Attach.
10. For Filter, choose Users.
11. In the search box, enter your username. Then, check the box that's next to your username.