By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Unable to access shared customer managed key in my another aws account

0

Hi Team, we are actually trying to share form one our aws account (ACC1) IAM user (juenwei) a customer managed kms key with name (keygenerated-26-10) to the account (ACC2) IAM user (juenwei-dr), both account are part of same organization.

here are the key- policy from juenwei account,

{
    "Version": "2012-10-17",
    "Id": "key-consolepolicy-3",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::ACC1-ID:root",
                    "arn:aws:iam::ACC1-ID:user/juenwei"
                ]
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow access for Key Administrators",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::ACC1-ID:user/juenwei"
            },
            "Action": [
                "kms:Create*",
                "kms:Describe*",
                "kms:Enable*",
                "kms:List*",
                "kms:Put*",
                "kms:Update*",
                "kms:Revoke*",
                "kms:Disable*",
                "kms:Get*",
                "kms:Delete*",
                "kms:TagResource",
                "kms:UntagResource",
                "kms:ScheduleKeyDeletion",
                "kms:CancelKeyDeletion"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::ACC2-ID:root",
                    "arn:aws:iam::ACC2-ID:user/juenwei-dr"
                ]
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow attachment of persistent resources",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::ACC2-ID:root",
                    "arn:aws:iam::ACC2-ID:user/juenwei-dr"
                ]
            },
            "Action": [
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:RevokeGrant"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        }
    ]
}

we have allowed to both root and juenwei-dr user with the access of key. also in juenwei-dr account we have attached a permission to access this kms key from source account here the policy attached,

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowUseOfTheKey",
            "Effect": "Allow",
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": [
                "arn:aws:kms:ap-southeast-1:ACC1-ID:key/4015d80b-24eb-4be6-b856-83054097c95c"
            ]
        },
        {
            "Sid": "AllowAttachmentOfPersistentResources",
            "Effect": "Allow",
            "Action": [
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:RevokeGrant"
            ],
            "Resource": [
                "arn:aws:kms:ap-southeast-1:ACC1-ID:key/4015d80b-24eb-4be6-b856-83054097c95c"
            ],
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": true
                }
            }
        }
    ]
}

even after adding this permissions we are still not able to see the shared key in juenwei-dr acount. requesting you to please look into this isssue, any kind of help or resolution is really appriciated.

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
AWS Key Management ServiceAWS Identity and Access ManagementAWS OrganizationsIAM Policies
Language
English
Shriram
asked 6 months ago316 views
1 Answer
1
Accepted Answer

Hi,

Please, follow precisely this guidance to implement KMS key sharing across accounts: https://aws.amazon.com/blogs/security/share-custom-encryption-keys-more-securely-between-accounts-by-using-aws-key-management-service/

Best,

Didier

profile pictureAWS
EXPERT
Didier_Durand
answered 6 months ago
profile picture
EXPERT
Gary Mclean
reviewed a month ago
  • Shriram
    6 months ago

    This document is older one, options has been change in New UI

  • Shriram
    6 months ago

    Seems like, shared key will not be visible in Destination accounts KMS section, we can only use it by its ARN

  • Didier_Durand EXPERT
    6 months ago

    Hi, yes, console views usually display only corresponding resources of the account, not cross-account resources. It is same thing for example with S3, etc. So, yes, you must know the ARN of the resource shared with you. Best, Didier

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content