Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
How do I share my AWS KMS keys across multiple AWS accounts?
I want to securely grant another AWS account access to my AWS Key Management Service (AWS KMS) key.
Resolution
To share an AWS KMS key with another account, you must grant the following permissions to the secondary account:
- Add permissions to use the AWS KMS key policy in the account that owns the key. For more information and an example key policy statement, see Add a key policy statement in the local account.
- Attach permissions for AWS Identity and Access Management (IAM) policies in the secondary account that grant access to use the AWS KMS key.
You can also use automated monitoring tools to monitor your AWS KMS keys.
Note: It's a best practice to grant least permissions access to your resources if you share resources with accounts that you don't own.
Related information
Allow a user to encrypt and decrypt with specific AWS KMS keys
Share custom encryption keys more securely between accounts by using AWS KMS
- Language
- English
In addition to an "proper" IAM policy on the secondary account, the secondary account must be given access by the KMS key policy, as outlined in Allowing users in other accounts to use a KMS key
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Relevant content
- asked 3 years ago
