Allowing access to a KMS key from another account


I am trying to allow the use of my KMS key from 'Account A' in 'Account B', but I seem to be missing a step. Please let me know if you can see what I'm doing wrong.

The context is that I am sharing a DB snapshot, and the snapshot is encrypted using a CMK in Account A

What I have done: Following this document as guidance: In Account A's KMS, I updated the key policy with the following: { "Sid": "Allow an external account to use this KMS key", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<Account B>:root" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" } This key policy does have more, but there are no deny statements in it.

And then in Account B I have created a new IAM policy with the following: 
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowUseOfKeyInAccountA", "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "arn:aws:kms:<REGION>:<ACCOUNTA>:key/<KEYID>" } ] } I attached this policy to the role I'm currently using and then logged out and back in again to the console. Then I went to the snapshots shared with me and attempted to copy that snapshot that was shared from Account A. When I try to save it off though, I get an error:

The source snapshot KMS key [arn:aws:kms:<REGION>:<ACCOUNTA>:key/<KEYID> matching the CMK ARN and policy above] does not exist, is not enabled or you do not have permissions to access it.

What step did I miss?

asked a year ago632 views
1 Answer
Accepted Answer

It looks like what I was missing was


in my Account A CMK policy. Once added, I was able to do my snapshot copy

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions