CODEWITHSUNDEEP
amazon-web-servicesamazon-snsaws-cdkamazon-kms
bappak
bappak

Reputation: 1044

Can I decrypt a KMS key from a different account, from a different aws region?

Here's my scenario:

encryptionMasterKey.addToResourcePolicy(new iam.PolicyStatement({
            effect: iam.Effect.ALLOW,
            actions: ["kms:Create*",
                "kms:Describe*",
                "kms:Enable*",
                "kms:List*",
                "kms:Put*",
                "kms:Update*",
                "kms:Revoke*",
                "kms:Disable*",
                "kms:Get*",
                "kms:Delete*",
                "kms:ScheduleKeyDeletion",
                "kms:CancelKeyDeletion",
                "kms:GenerateDataKey",
                "kms:TagResource",
                "kms:UntagResource"],
            resources: ["*"],
            principals: [new iam.AccountPrincipal("<account B id>")]
        }));

Now, here are my observations:

I need to be able to encrypt my queue for business reasons. How can I allow my SNS topic to access the KMS key?

Upvotes: 2

Views: 1722

Answers (2)

victormoraesgs
victormoraesgs

Reputation: 15

I have gone through a similar problem, check the question and answer here: SNS not being able to send messages to SQS queue in another account

TL;DR: In addition to @user3099576 's answer, you need to use a multi-region KMS key that was created in one of the two regions with a replica in the other region. KMS Keys are not cross-region as of now.

Upvotes: 0

user3099576
user3099576

Reputation:

In addition to the AWS account principal, you also need to have a policy that grants the Amazon SNS service principal permission for using the KMS key.

{
    "Sid": "Allow access for SNS Service Principal",
    "Effect": "Allow",
    "Principal": {
        "Service": "sns.amazonaws.com"
    },
    "Action": [
        "kms:GenerateDataKey*",
        "kms:Decrypt"
    ],
    "Resource": "*"
}

You can also find a more detailed post regarding the setup here.

Upvotes: 2

Related Questions