How do I share my customer master keys (CMKs) across multiple AWS accounts?
Last updated: 2019-10-14
I want to securely grant access to my customer master key (CMK) to another AWS account, so that it can be used to encrypt and decrypt data on that account. What is the best way to share my CMK?
To grant another account access to a CMK, create an IAM policy on the secondary account that grants access to use the CMK. For instructions, see Allowing Users in Other Accounts to Use a CMK.
You can also use automated monitoring tools to monitor your CMKs.
Note: It’s a best practice to grant least-privilege access to your resources, especially when sharing them with accounts you don’t own.