Tracy shows you how to share
a CMK with another AWS account


I want to securely grant access to my customer master key (CMK) to another AWS account, so it can be used to encrypt and decrypt data on that account. What is the best way to share my CMK?

To grant another account access to a CMK, create an IAM policy on the secondary account that grants access to use the CMK. For instructions, see Allowing External AWS Accounts to Access a CMK.

It’s a best practice to grant least-privilege access to your resources, especially when sharing them with accounts you don’t own. Consider also configuring CloudTrail to monitor the use of your keys.

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2016-08-02