Upul Doluweera
Upul Doluweera

Reputation: 2346

AWS Secret Manager creation with cross account KMS CMK

How enable encryption at rest with AWS secret manager using a KMS CMK from a different account ?

Upvotes: 2

Views: 2336

Answers (1)

Upul Doluweera
Upul Doluweera

Reputation: 2346

AWS Secret manager can not be encrypted with cross account keys using the AWS Management Console, instead you have to use the AWS CLI

If you want to create a Key and share it to another account

First Create the KMS CMK Key with a key policy giving correct access to the sharing account. There are plenty of tutorials around this.

Here we are giving key access to the root of the AccountA. Also we have restricted the use of the key for autoscaling and secretsmanager.

{
    "Sid": "Allow use of the key for SSM only",
    "Effect": "Allow",
    "Principal": {
        "AWS": "arn:aws:iam::AccountA:root"
    },
    "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*"
    ],
    "Resource": "*",
    "Condition": {
        "StringLike": {
            "kms:ViaService": [
                "secretsmanager.*.amazonaws.com",
                "autoscaling.*.amazonaws.com"
            ]
        }
    }
},
{
    "Sid": "Allow reading of key metadata",
    "Effect": "Allow",
    "Principal": {
        "AWS": "arn:aws:iam::AccountA:root"
    },
    "Action": "kms:DescribeKey",
    "Resource": "*"
},
{
    "Sid": "Allow attachment of persistent resources",
    "Effect": "Allow",
    "Principal": {
        "AWS": "arn:aws:iam::AccountA:root"
    },
    "Action": [
        "kms:CreateGrant",
        "kms:ListGrants",
        "kms:RevokeGrant"
    ],
    "Resource": "*"
}

Now the Account A root has to give access to a user or a role to use the key. A typical IAM policy to grant access would look like this. This policy should be associated with the role or a user in account A.

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "VisualEditor2",
        "Effect": "Allow",
        "Action": [
            "kms:Encrypt",
            "kms:Decrypt",
            "kms:ReEncrypt*",
            "kms:GenerateDataKey*"
        ],
        "Resource": [
            "arn:aws:kms:<KEY>"
        ]
    }
]

}

Now you have a KMS ket ready to use, So continue with the following steps.

If you already have the KMS CMK from a different account

First check the key is accessible

aws kms describe-key --key-id arn:aws:kms:<KEY_ID>

If you don't get a response, that means you dont have access to the key, check the key policy and ensure all the access is given properly.

If you have access to the key, then use AWS CLI to use the Key.

To reassign to a existing secret

aws secretsmanager update-secret --secret-id <secret id> --kms-key-id <KMS key id>

Or to create a new secret with the key

aws secretsmanager create-secret --name <NameOfTheSecret> \
--description "Test Description" \
--kms-key-id <KMS Key Id>

Upvotes: 2

Related Questions