Skip to main content
All CollectionsGeneralSecurity
How to set up for Cross Account Key Usage
How to set up for Cross Account Key Usage
Bakul Banthia avatar
Written by Bakul Banthia
Updated over 7 months ago

  • Key's Source Account

    • Key Policy must exist on Encryption Key that grants the following permissions to Data Plane Account user or role.

      • CreateGrant

      • Decrypt

      • DescribeKey

      • Encrypt

      • GenerateDataKey*

      • ReEncrypt*

  • Data Plane Account (DPA)

    • The user or role must have IAM permission to perform KMS operations within the Data Plane Account.

After the above setup, the Encryption Key can be used in the Data Plane Account.

Note: In case of Multi-Region Keys, each Replica Key has separate Key Policies. Hence Key Policy is required on all Replica Keys which needs to be registered on Tessell.

Key Policy example

{
    "Version": "2012-10-17",
    "Id": "key-consolepolicy-1",
    "Statement": [
        {
            "Sid": "Allow an external account to use this KMS key",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::DATA_PLANE_ACCOUNT_NUMBER:role/aws-reserved/sso.amazonaws.com/us-east-2/AWSReservedSSO_Deny-EC2-Creation_1987d3a5019277f8"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        }
    ]
}

Related Articles
What are all the Apps in Tessell?
Oracle database patching in Tessell
What are the resources created each time a region is enabled in a subscription?
How are SSL Certificates configured for databases?
What authentication and authorization mechanism does the Tessell agent use when sending data over NATS?
Did this answer your question?