Reputation: 2346
AWS Secret Manager creation with cross account KMS CMK
How enable encryption at rest with AWS secret manager using a KMS CMK from a different account ?
Upvotes: 2
Views: 2336
Answers (1)
Reputation: 2346
AWS Secret manager can not be encrypted with cross account keys using the AWS Management Console, instead you have to use the AWS CLI
If you want to create a Key and share it to another account
First Create the KMS CMK Key with a key policy giving correct access to the sharing account. There are plenty of tutorials around this.
Here we are giving key access to the root of the AccountA. Also we have restricted the use of the key for autoscaling and secretsmanager.
{
"Sid": "Allow use of the key for SSM only",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountA:root"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.*.amazonaws.com",
"autoscaling.*.amazonaws.com"
]
}
}
},
{
"Sid": "Allow reading of key metadata",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountA:root"
},
"Action": "kms:DescribeKey",
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountA:root"
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*"
}
Now the Account A root has to give access to a user or a role to use the key. A typical IAM policy to grant access would look like this. This policy should be associated with the role or a user in account A.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Resource": [
"arn:aws:kms:<KEY>"
]
}
]
}
Now you have a KMS ket ready to use, So continue with the following steps.
If you already have the KMS CMK from a different account
First check the key is accessible
aws kms describe-key --key-id arn:aws:kms:<KEY_ID>
If you don't get a response, that means you dont have access to the key, check the key policy and ensure all the access is given properly.
If you have access to the key, then use AWS CLI to use the Key.
To reassign to a existing secret
aws secretsmanager update-secret --secret-id <secret id> --kms-key-id <KMS key id>
Or to create a new secret with the key
aws secretsmanager create-secret --name <NameOfTheSecret> \
--description "Test Description" \
--kms-key-id <KMS Key Id>
Upvotes: 2
Related Questions
- s3 cross account access with default kms key
- Give persmission to use AWS KMS key to another account
- How do I get AWS cross-account KMS keys to work?
- AWS-CDK: Cross account Resource Access and Resource reference
- Encrypt secret manager value using kms cloud formation
- cross account access for decrypt object with default aws/S3 KMS key
- Other AWS User is (Incorrectly) Able to Access My AWS SecretsManager Secret Value, That's Encrypted With My AWS KMS CMK
- how to create AWS managed KMS Key
- Sharing an AWS managed KMS key with another account
- AWS Secrets Manager rotation for RDS credentials