How do I share my AWS KMS keys across multiple AWS accounts?

1 minute read

I want to securely grant access to my AWS KMS key to another AWS account, so that it can be used to encrypt and decrypt data on that account. What is the best way to share my KMS key?


To grant another account access to a KMS key, create an IAM policy on the secondary account that grants access to use the KMS key. For instructions, see Allowing users in other accounts to use a KMS key.

You can also use automated monitoring tools to monitor your KMS keys.

Note: It’s a best practice to grant least privilege access to your resources, especially when sharing them with accounts you don’t own.

Related information

Allow a user to encrypt and decrypt with specific KMS keys

Share custom encryption keys more securely between accounts by using AWS Key Management Service

AWS OFFICIALUpdated 2 years ago