KMS Customer Managed Key with cross-account service role permissions
Hello,
I am working with customer on a workload that required KMS key encryption using customer managed key/material. In customer environment, the Key is created in central security account and is shared with the account running the workload (using share with external account option). Within the workload, we need to bring up new instances using auto-scaling with KMS key encryption for attached EBS volumes. We noticed that to get auto-scaling working we need to add service role for auto-scaling as a key user in KMS key and this is working fine within an account (in my environment). But in customer environment, we are unable to add these service roles (for the workload account) in KMS key policy from central security account. It gives an error - "invalid principal". Do you know if this is a limitation for KMS CMK cross account access or what is the right way to enable service role permissions for external (workload) account in KMS key policy?
Thanks!
- 最新
- 投票最多
- 评论最多
Cross account KMS keys used to encrypt snapshots is supported in an ASG, but the key policy has to be setup slightly differently, and the account with the ASG in it needs to call the create-grant CLI command after the key policy is setup. Detailed instructions can be found here:
相关内容
AWS 官方已更新 2 年前- AWS 官方已更新 1 年前
