KMS Keys – Cross Account Keys in AWS
Also read ‘One KMS key per application?’ and Lost KMS Keys in AWS?
Cross-Account KMS Keys: Pros and Cons
When working with AWS Key Management Service (KMS), it’s common to keep encryption keys in a single, centralized account while allowing other AWS accounts to use those keys. This is called
cross-account KMS key usage, and it requires two layers of permissions:
- A key policy in the key-owner’s account that allows the external account to use the key.
- IAM policies in the external account that delegate permissions to specific principals to call KMS APIs (e.g.,
kms:Encrypt,kms:Decrypt).
AWS evaluates both the key policy and the IAM policy. Both must grant the necessary permissions for cross-account use to succeed.
Why Use Cross-Account Keys?
Organizations often want to centralize key management in a single security account, while allowing multiple application or workload accounts to encrypt/decrypt data using those centralized keys. This pattern can simplify auditing and compliance, and make key rotation or lifecycle management easier.
Pros of Cross-Account KMS Keys
- Centralized governance and control
By managing keys in one account, security teams can enforce uniform key policies, rotation schedules, and compliance checks. This helps meet regulatory and organizational requirements. - Simplified auditing
Key usage logs, CloudTrail events, and key policies reside in one place, making it easier to track which accounts are using which keys, and when. - Separation of duties
Application teams in different accounts can use keys without having full administrative control over them, supporting security best practices. - Cost and management efficiency
Instead of creating and rotating keys in every account, you can reuse a single key across multiple accounts, reducing operational overhead.
Cons and Considerations
- More complex permissions model
Cross-account KMS requires configuring both key
Leave a Reply