- 最新
- 最多得票
- 最多評論
As noted in the docs, a multi-region KMS key is "an independent KMS key resource with its own key policy." As such, you can use a combination of key policy and IAM policy to allow cross-account access, as also noted in the docs. Note that because the regional keys are independent resources, the key policy must be applied to each key, and any IAM policy in another must refer to the full set of key ARNs across all regions.
Confirmed with AWS support today that this DOES NOT WORK.
ReplicateKey API notes:
Cross-account use: No. You cannot use this operation to create a replica key in a different AWS account.
There are two steps to doing this. You can create a replica key in the same account and then share the replica with another account.
https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html
相關內容
- 已提問 6 個月前