Jan 21, 2022

Allow Cross-Account KMS Key Decryption to Specific IAM Roles

0
0
{{ }} Substitute variables

Adjust the variable values according to your preference.

Policy Code

1{
2  "Version": "2012-10-17",
3  "Id": "KMS Key Policy",
4  "Statement": [
5    {
6      "Sid": "IAM Root User",
7      "Effect": "Allow",
8      "Principal": {
9        "AWS": "arn:aws:iam::{{account-id}}:root"
10      },
11      "Action": "kms:*",
12      "Resource": "*"
13    },
14    {
15      "Sid" : "Cross Account Decryption",
16      "Effect" : "Allow",
17      "Action" : [
18        "kms:Decrypt",
19        "kms:DescribeKey"
20      ],
21       "Resource" : "*",
22       "Principal" : {
23         "AWS" : [
24           "arn:aws:iam::{{remote-account-id1}}:role/{{remote-role-name1}}",
25           "arn:aws:iam::{{remote-account-id2}}:role/{{remote-role-name2}}"
26         ]
27       }
28     }
29  ]
30}

    Get the IAM Pulse Check Newsletter

    We send out a periodic newsletter full of tips & tricks, contributions from the community, commentary on the industry, relevant social posts, and more.

    Checkout past issues for a sampling of the goods.