This AWS CloudFormation template will create AWS Customer KMS key with policy for administrator and user. Key will be shared also with AWS cross account.
AWSTemplateFormatVersion: '2010-09-09'
Description: 'CloudFormation template to create a KMS key shared with another account.'
Parameters:
ExternalAccountId:
Type: String
Description: The 12-digit AWS Account ID to share the key with.
AllowedPattern: ^\d{12}$
Resources:
SharedCustomerKMSKey:
Type: AWS::KMS::Key
Properties:
Description: KMS key for cross-account access
Enabled: true
EnableKeyRotation: true
KeyPolicy:
Version: '2012-10-17'
Statement:
- Sid: EnableRootPermissions
Effect: Allow
Principal:
AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
Action: kms:*
Resource: "*"
- Sid: Allow access for Key Administrators
Effect: Allow
Principal:
AWS: !Sub arn:aws:iam::${AWS::AccountId}:user/Administrator
Action:
- kms:Create*
- kms:Describe*
- kms:Enable*
- kms:List*
- kms:Put*
- kms:Update*
- kms:Revoke*
- kms:Disable*
- kms:Get*
- kms:Delete*
- kms:TagResource
- kms:UntagResource
- kms:ScheduleKeyDeletion
- kms:CancelKeyDeletion
- kms:RotateKeyOnDemand
Resource: '*'
- Sid: Allow User1 to use key
Effect: Allow
Principal:
AWS: !Sub arn:aws:iam::${AWS::AccountId}:user/User1
Action:
- kms:Encrypt
- kms:Decrypt
- kms:ReEncrypt*
- kms:GenerateDataKey*
- kms:DescribeKey
Resource: '*'
- Sid: AllowCrossAccountUsage
Effect: Allow
Principal:
AWS: !Sub 'arn:aws:iam::${ExternalAccountId}:root'
Action:
- kms:Encrypt
- kms:Decrypt
- kms:ReEncrypt*
- kms:GenerateDataKey*
- kms:DescribeKey
Resource: '*'
SharedCustomerKMSKeyAlias:
Type: AWS::KMS::Alias
Properties:
AliasName: alias/cross-account-key
TargetKeyId: !Ref SharedCustomerKMSKey
Outputs:
KMSKeyArn:
Description: ARN of the created KMS key
Value: !GetAtt SharedCustomerKMSKey.Arn
This is link to video how to do it in AWS KMS console https://youtu.be/Ey-rumNz_3E
Great CF template!