Can KMS Multi-Region Keys be used outside the provisioned account?

Question

Multi-region keys appear to be constrained to the account in which they are provisioned - What are the best practices for leveraging these types of keys across multiple accounts, is it just a matter of IAM permissions?

Answer

As noted [in the docs](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-auth.html), a multi-region KMS key is "an independent KMS key resource with its own key policy." As such, you can use a combination of [key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html) and [IAM policy](https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html) to allow cross-account access, as also noted [in the docs](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html). Note that because the regional keys are independent resources, the key policy must be applied to each key, and any IAM policy in another must refer to the full set of key ARNs across all regions.

Answer

Confirmed with AWS support today that this DOES NOT WORK.

[ReplicateKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_ReplicateKey.html#:~:text=Cross%2Daccount%20use%3A%20No.%20You%20cannot%20use%20this%20operation%20to%20create%20a%20replica%20key%20in%20a%20different%20AWS%20account) API notes:

> Cross-account use: No. You cannot use this operation to create a replica key in a different AWS account.

Answer

There are two steps to doing this. You can create a replica key in the same account and then share the replica with another account.

https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html

Can KMS Multi-Region Keys be used outside the provisioned account?

相關內容