Can we use cross account cmk in mwaa?

Hi,

Thank you for contacting us! I understand that you would like to use cross account KMS key for data encryption in MWAA, and you would like to know if it is supported.

I have identified the following documentation excerpt that describes that it is supported:

"If the Customer managed key that you specify is in a different account from the one that you use to configure an environment, you must specify the key using its ARN."

• 1 https://docs.aws.amazon.com/mwaa/latest/userguide/custom-keys-certs.html

The document also mentions the following:

"A Customer managed key must be created in the same Region as your Amazon MWAA environment instance and your Amazon S3 bucket where your customer data is stored. "

Therefore, I recommend checking your KMS key configuration and the region it is located in to determine the root cause.

• 2 https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html

If you choose to use your own Customer managed key with Amazon MWAA, you must attach the policy described in [1] (under section "Attaching key policies to a customer managed key") to the key to allow Amazon MWAA to use it to encrypt your data."

If you need assistance in resolving the permission issue, please do feel free to create a support case with us and we can take a look at your resource configurations to help troubleshoot further.

Note: Posts in re:Post platform are public and therefore, I recommend not posting any confidential information regarding your resources over this platform.

Please feel free to reach back if you have any follow up questions!