Grant Cross Account access to non root user

Hi,

The way you configure it is a 2 step process:

Firstly, in the sharing account, grant access to the root account of the external account – this step alone will not be enough to give access to any users in the external account.

Secondly, from within the external account you need to add an IAM policy, or change an existing one for the users or roles who need access.

And you need to do both steps otherwise it will not work. – Of course this should be done on a least privilege basis, so that you don’t give away access to people or groups that don’t need it!

More details here:

https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying.html#key-policy-modifying-external-accounts

and there is also a quick video from AWS on this subject:

https://www.youtube.com/watch?v=qS7P2DpJFZQ

hope that helps

Faye

Faye’s answer doesn’t really answer the question.

The AWS documentation ( https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html#cross-account-key-policy ) says "Instead of giving permission to the external account, you can specify particular external users and roles in the key policy" and then gives the policy below – sorry it’s difficult to format it in here. Based on this I believe the answer to the question is yes, you can give access to a user or role in another account rather than to the whole account.

{

"Sid": "Allow an external account to use this CMK",

"Effect": "Allow",

"Principal": {

"AWS": [

"arn:aws:iam::444455556666:role/ExampleRole",

"arn:aws:iam::444455556666:user/ExampleUser"

]

},

"Action": [

"kms:Encrypt",

"kms:Decrypt",

"kms:ReEncrypt*",

"kms:GenerateDataKey*",

"kms:DescribeKey"

],

"Resource": "*"

}