Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!
How do I share my AWS KMS keys across multiple AWS accounts?
I want to securely grant another AWS account access to my AWS Key Management Service (AWS KMS) key.
Resolution
To share an AWS KMS key with another account, you must grant the following permissions to the secondary account:
- Key policy: The secondary account must have permission to use the AWS KMS key policy. This policy exists in the account that owns the key. For more information and an example key policy statement, see Add a key policy statement in the local account.
- AWS Identity and Access Management (IAM) policies: The secondary account must have permissions for policies that grant access to use the key.
For instructions on how to grant access to the key with a key policy and IAM policies, see Allowing users in other accounts to use an AWS KMS key.
You can also use automated monitoring tools to monitor your AWS KMS keys.
Note: It's a best practice to grant least privilege access to your resources, especially when you share them with accounts that you don't own.
Related information
Allow a user to encrypt and decrypt with specific AWS KMS keys
Share custom encryption keys more securely between accounts by using AWS Key Management Service
In addition to an "proper" IAM policy on the secondary account, the secondary account must be given access by the KMS key policy, as outlined in Allowing users in other accounts to use a KMS key
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Relevant content
- asked 2 years ago
