KMS Customer Managed Key with cross-account service role permissions



I am working with customer on a workload that required KMS key encryption using customer managed key/material. In customer environment, the Key is created in central security account and is shared with the account running the workload (using share with external account option). Within the workload, we need to bring up new instances using auto-scaling with KMS key encryption for attached EBS volumes. We noticed that to get auto-scaling working we need to add service role for auto-scaling as a key user in KMS key and this is working fine within an account (in my environment). But in customer environment, we are unable to add these service roles (for the workload account) in KMS key policy from central security account. It gives an error - "invalid principal". Do you know if this is a limitation for KMS CMK cross account access or what is the right way to enable service role permissions for external (workload) account in KMS key policy?


asked 4 years ago1243 views
1 Answer
Accepted Answer

Cross account KMS keys used to encrypt snapshots is supported in an ASG, but the key policy has to be setup slightly differently, and the account with the ASG in it needs to call the create-grant CLI command after the key policy is setup. Detailed instructions can be found here:

answered 4 years ago
profile picture
reviewed 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions