All Collections
How to set up for Cross Account Key Usage
How to set up for Cross Account Key Usage
Bakul Banthia avatar
Written by Bakul Banthia
Updated over a week ago
  • Key's Source Account

    • Key Policy must exist on Encryption Key that grants the following permissions to Data Plane Account user or role.

      • CreateGrant

      • Decrypt

      • DescribeKey

      • Encrypt

      • GenerateDataKey*

      • ReEncrypt*

  • Data Plane Account (DPA)

    • The user or role must have IAM permission to perform KMS operations within the Data Plane Account.

After the above setup, the Encryption Key can be used in the Data Plane Account.

Note: In case of Multi-Region Keys, each Replica Key has separate Key Policies. Hence Key Policy is required on all Replica Keys which needs to be registered on Tessell.

Key Policy example

"Version": "2012-10-17",
"Id": "key-consolepolicy-1",
"Statement": [
"Sid": "Allow an external account to use this KMS key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::DATA_PLANE_ACCOUNT_NUMBER:role/aws-reserved/"
"Action": [
"Resource": "*"

Did this answer your question?