Can we use cross account cmk in mwaa?


Hi we have 3 keys in a different account used for encryption purpose, can we use those keys in mwaa dag to decryption the data ? We have already given the necessary permissions but the encryption fails. Is mwaa compatible with cross account keys??

1 Answer


Thank you for contacting us! I understand that you would like to use cross account KMS key for data encryption in MWAA, and you would like to know if it is supported.

I have identified the following documentation excerpt that describes that it is supported:

"If the Customer managed key that you specify is in a different account from the one that you use to configure an environment, you must specify the key using its ARN."

The document also mentions the following:

"A Customer managed key must be created in the same Region as your Amazon MWAA environment instance and your Amazon S3 bucket where your customer data is stored. "

Therefore, I recommend checking your KMS key configuration and the region it is located in to determine the root cause.

If you choose to use your own Customer managed key with Amazon MWAA, you must attach the policy described in [1] (under section "Attaching key policies to a customer managed key") to the key to allow Amazon MWAA to use it to encrypt your data."

If you need assistance in resolving the permission issue, please do feel free to create a support case with us and we can take a look at your resource configurations to help troubleshoot further.

Note: Posts in re:Post platform are public and therefore, I recommend not posting any confidential information regarding your resources over this platform.

Please feel free to reach back if you have any follow up questions!

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions