When setting up AWS ECR cross account replication with KMS, I would expect that the target account (account b) service role "AWSServiceRoleForECRReplication" would need permissions granted to the source KMS CMK (account a) to allow decryption of the images being replicated, however this is not documented as a requirement anywhere in the AWS documentation [1] or [2]
[1] https://docs.aws.amazon.com/AmazonECR/latest/userguide/replication.html
[2] https://docs.aws.amazon.com/AmazonECR/latest/userguide/encryption-at-rest.html
Can anyone confirm (a) this is required ? and (b) can we use least privilege and use the the target account (account b) 'AWSServiceRoleForECRReplication' service role as a principal or is another role used to decrypt when replicating?
Thanks
