I am trying to allow the use of my KMS key from 'Account A' in 'Account B', but I seem to be missing a step. Please let me know if you can see what I'm doing wrong.
The context is that I am sharing a DB snapshot, and the snapshot is encrypted using a CMK in Account A
What I have done:
Following this document as guidance: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html
In Account A's KMS, I updated the key policy with the following:
{ "Sid": "Allow an external account to use this KMS key", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<Account B>:root" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }
This key policy does have more, but there are no deny statements in it.
And then in Account B I have created a new IAM policy with the following:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowUseOfKeyInAccountA", "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "arn:aws:kms:<REGION>:<ACCOUNTA>:key/<KEYID>" } ] }
I attached this policy to the role I'm currently using and then logged out and back in again to the console.
Then I went to the snapshots shared with me and attempted to copy that snapshot that was shared from Account A.
When I try to save it off though, I get an error:
The source snapshot KMS key [arn:aws:kms:<REGION>:<ACCOUNTA>:key/<KEYID> matching the CMK ARN and policy above] does not exist, is not enabled or you do not have permissions to access it.
What step did I miss?
+1 I was about to clarify which DB you were using but glad that you found the answer. The key policy and what you need to give access can be different service to service. For RDS, you would need kms:CreateGrant. These details can often found in each service's Developer Guide under Security > Data protection (e.g., https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.Keys.html)