


 Resolution
-----------



 To grant another account access to a KMS key, create an IAM policy on the secondary account that grants access to use the KMS key. For instructions, see [Allowing users in other accounts to use a KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html).


You can also use [automated monitoring tools](https://docs.aws.amazon.com/kms/latest/developerguide/monitoring-overview.html#monitoring-tools) to monitor your KMS keys.


**Note:** It’s a best practice to [grant least privilege](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege) access to your resources, especially when sharing them with accounts you don’t own.





---




 Related information
--------------------



[Allow a user to encrypt and decrypt with specific KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/customer-managed-policies.html#iam-policy-example-encrypt-decrypt-specific-cmks)


[Share custom encryption keys more securely between accounts by using AWS Key Management Service](https://blogs.aws.amazon.com/security/post/Tx2N2SRHXSNEX91/Share-Custom-Encryption-Keys-More-Securely-Between-Accounts-by-Using-AWS-Key-Man)







I want to securely grant access to my AWS KMS key to another AWS account, so that it can be used to encrypt and decrypt data on that account. What is the best way to share my KMS key?

How do I share my AWS KMS keys across multiple AWS accounts?

Security, Identity, & Compliance

How do I share my AWS KMS keys across multiple AWS accounts?

Resolution

Related information

Related videos

Relevant content