at 4:29 the summary it says " the key policy – add the root user, not the individual iAM users/ roles "
Can someone please verify that i have understood this correct or not please;
In the key policy of the CMK i would add the root user of the account that want’s access to it… but i am not using the root user to access that CMK key ? is it because to allow or authorise the entire account access and then IAM policy of the requester when they want to access the CMK key ?
Can someone please verify this.
Hi, yes that’s correct, there are 2 steps,
1) In the CMK you need to allow the external ROOT account to have access
2) In the external account, you need to set up an IAM user or role with explicit permission to use the CMK
there is also a really good demo of this provided by the AWS knowledge center:
The documentation is clear:
To give permission to use a CMK to users and roles in another account, you must use two different types of policies:
The key policy for the CMK must give the external account (or users and roles in the external account) permission to use the CMK. The key policy is in the account that owns the CMK.
You must attach IAM policies to IAM users and roles in the external account. These IAM policies delegate the permissions that are specified in the key policy.
As such, you do not need to specify root. Any other user in the external account or Role can also be specified. Hope this clarifies.
I found this to be a helpful read, From KMS Best Practices Document:
Cross Account Sharing of Keys
Delegation of permissions to a CMK within AWS KMS can occur when you include the root
principal of a trusted account within the CMK key policy. The trusted account then has the
ability to further delegate these permissions to IAM users and roles within their own account
using IAM policies. While this approach may simplify the management of the key policy, it also
relies on the trusted accounts to ensure that the delegated permissions are correctly
managed. The other approach would be to explicitly manage permissions to all authorized
users using only the KMS key policy, which, in turn, could make the key policy complex and less
manageable. Regardless of the approach you take, the specific trust should be broken out on a
per key basis to ensure that you adhere to the least privilege model.
So to conclude both work!
I think the confusion is that when you use the console to add cross account permission, it adds it as "root" – since you’re giving the account permissions. If you manually edit the key policy, you can specify specific users – so you an give JeffK permission, but not the entire account. In either case though, the IAM policy in the second account must be updated correctly.