Via the KMS UI to grant cross account access, it will only able to grant to another account root user only. But i able to manually modify the key policy to grant to specific user under another account instead of root user. Will it still work with the IAM policy of another account to by use by the specific cross account user?
The way you configure it is a 2 step process:
Firstly, in the sharing account, grant access to the root account of the external account – this step alone will not be enough to give access to any users in the external account.
Secondly, from within the external account you need to add an IAM policy, or change an existing one for the users or roles who need access.
And you need to do both steps otherwise it will not work. – Of course this should be done on a least privilege basis, so that you don’t give away access to people or groups that don’t need it!
More details here:
and there is also a quick video from AWS on this subject:
hope that helps
Faye’s answer doesn’t really answer the question.
The AWS documentation ( https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html#cross-account-key-policy ) says "Instead of giving permission to the external account, you can specify particular external users and roles in the key policy" and then gives the policy below – sorry it’s difficult to format it in here. Based on this I believe the answer to the question is yes, you can give access to a user or role in another account rather than to the whole account.
"Sid": "Allow an external account to use this CMK",
Tried it out and it worked like a charm. So giving permission to a specific user will work. But you must define it manually the UI does not support that.