How do I share my AWS KMS keys across multiple AWS accounts?

Last updated: 2021-08-26

I want to securely grant access to my AWS KMS key to another AWS account, so that it can be used to encrypt and decrypt data on that account. What is the best way to share my KMS key?

Resolution

To grant another account access to a KMS key, create an IAM policy on the secondary account that grants access to use the KMS key. For instructions, see Allowing users in other accounts to use a KMS key.

You can also use automated monitoring tools to monitor your KMS keys.

Note: It’s a best practice to grant least privilege access to your resources, especially when sharing them with accounts you don’t own.