How can I allow all accounts in an AWS Organization to use an AWS KMS key in my account?

Last updated: 2021-08-05

I want to restrict AWS Key Management Service (AWS KMS) key access to only the principals belonging to my AWS Organization.

Short description

The aws:PrincipalOrgID global condition key can be used with the Principal element in a resource-based policy with AWS KMS. Instead of listing all the AWS account IDs in an Organization, you can specify the Organization ID in the Condition element.

Resolution

Create an AWS KMS key policy to allow all accounts in an AWS Organization to perform AWS KMS actions using the AWS global condition context key aws:PrincipalOrgID.

Important: It is a best practice to grant least privilege permissions with AWS Identity and Access Management (IAM) policies.

Specify your AWS Organization ID in the condition element of the statement to make sure that only the principals from the accounts in your Organization can access the AWS KMS key. To get the Organization ID, follow these steps:

  1. Open the AWS Organizations console.
  2. Choose Settings.
  3. In Organization details, copy the Organization ID.

The following AWS KMS key policy statement allows identities of any AWS account belonging to the AWS Organization with ID o-xxxxxxxxxxx to use the KMS key:

{
  "Sid": "Allow use of the KMS key for organization",
  "Effect": "Allow",
  "Principal": {
    "AWS": "*"
  },
  "Action": [
    "kms:Decrypt",
    "kms:DescribeKey",
    "kms:Encrypt",
    "kms:ReEncrypt*",
    "kms:GetKeyPolicy"
  ],
  "Resource": "*",
  "Condition": {
    "StringEquals": {
      "aws:PrincipalOrgID": "o-xxxxxxxxxxx"
    }
  }
}

Note: The aws:PrincipalOrgID global condition context key can't be used to restrict access to an AWS service principal. AWS services that invoke an API call are made from an internal AWS account that is not part of the AWS Organization.