All Collections
General
Security
How to set up for Cross Account Key Usage
How to set up for Cross Account Key Usage
Bakul Banthia avatar
Written by Bakul Banthia
Updated over a week ago

  • Key's Source Account

    • Key Policy must exist on Encryption Key that grants the following permissions to Data Plane Account user or role.

      • CreateGrant

      • Decrypt

      • DescribeKey

      • Encrypt

      • GenerateDataKey*

      • ReEncrypt*

  • Data Plane Account (DPA)

    • The user or role must have IAM permission to perform KMS operations within the Data Plane Account.

After the above setup, the Encryption Key can be used in the Data Plane Account.

Note: In case of Multi-Region Keys, each Replica Key has separate Key Policies. Hence Key Policy is required on all Replica Keys which needs to be registered on Tessell.

Key Policy example

{
    "Version": "2012-10-17",
    "Id": "key-consolepolicy-1",
    "Statement": [
        {
            "Sid": "Allow an external account to use this KMS key",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::DATA_PLANE_ACCOUNT_NUMBER:role/aws-reserved/sso.amazonaws.com/us-east-2/AWSReservedSSO_Deny-EC2-Creation_1987d3a5019277f8"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        }
    ]
}

Related Articles
What is Tessell and how does it work?
What are all the Apps in Tessell?
Oracle database patching in Tessell
What are the resources created each time a region is enabled in a subscription?
How are SSL Certificates configured for databases?
Did this answer your question?