How do I share my AWS KMS keys across multiple AWS accounts?

2 minute read
0

I want to securely grant another AWS account access to my AWS Key Management Service (AWS KMS) key.

Resolution

To share an AWS KMS key with another account, you must grant the following permissions to the secondary account:

  • Key policy: The secondary account must have permission to use the AWS KMS key policy. This policy exists in the account that owns the key. For more information and an example key policy statement, see Add a key policy statement in the local account.
  • AWS Identity and Access Management (IAM) policies: The secondary account must have permissions for policies that grant access to use the key.

For instructions on how to grant access to the key with a key policy and IAM policies, see Allowing users in other accounts to use an AWS KMS key.

You can also use automated monitoring tools to monitor your AWS KMS keys.

Note: It's a best practice to grant least privilege access to your resources, especially when you share them with accounts that you don't own.

Related information

Allow a user to encrypt and decrypt with specific AWS KMS keys

Share custom encryption keys more securely between accounts by using AWS Key Management Service

AWS OFFICIAL
AWS OFFICIALUpdated 9 months ago
2 Comments

In addition to an "proper" IAM policy on the secondary account, the secondary account must be given access by the KMS key policy, as outlined in Allowing users in other accounts to use a KMS key

eric_g
replied 10 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 10 months ago