Cross account AWS KMS keys

Category AWS Security
28 March 2024

Let’s say you have a IAM role in account 12345678 and it needs kms:Decrypt access to an key in another account 987654321, you need to keep the following Policy Evaluation Diagram in mind:

How AWS evaluates policies (logic)

Meaning that your KMS key policy must allow access for kms:Decrypt for the role, ie. something like this needs to be in the key policy:

{
    "Sid": "Allow12345678",
    "Effect": "Allow",
    "Principal": {
        "AWS": "arn:aws:iam::12345678:root"
    },
    "Action": "kms:Decrypt",
    "Resource": "*"
}

And your IAM role, must have allow the kms:Decrypt action as well, something like:

{
    "Effect": "Allow",
    "Action": "kms:Decrypt",
    "Resource": "arn:aws:kms:eu-west-1:987654321:key/abcdef-def-def-fe-ss"
}  

Otherwise you will run into the error: AccessDenied (client): User: arn:aws:sts::12345678:assumed-role/xxx-role/474ce5ef81924893ad55740f8ab96872 is not authorized to perform: kms:Decrypt on the resource associated with this ciphertext because no identity-based policy allows the kms:Decrypt action

This also goes for S3 bucket permissions (and any other service of AWS that supports resource-based policies).

Recent articles:
NEW

Reduce AWS Fargate pull times with SOCI

Read more >
NEW

Reduce your AWS CloudFront costs by switching to Cloudflare

Read more >

Cross account AWS KMS keys

Read more >

Need an AWS Expert?

Plan a free meeting now, no strings attached.