My client had a requirement to clone an Aurora database from the production account to a test account. In adherence to standard security practices, the production Aurora instance was configured with encryption utilizing a customer-managed Key Management Service (KMS) key. To enable the successful cloning of the database into the test account, a prerequisite step is to share the KMS key from the production account with the test account.
If the key was created via the console, we can navigate to the KMS page and filter for the key as shown below:
If you click on the Alias and then the Key Policy tab and scroll down
there is an option to add other AWS account
However, keys created via a cloud formation template such as below:
Resources: # ## Create a key # rCreateDBKMSCMK: Type: AWS::KMS::Key DeletionPolicy: Retain Properties: KeyPolicy: Version: '2012-10-17' Statement: - Effect: Allow Principal: AWS: 'arn:aws:iam::111111111121:root' Action: 'kms:*' Resource: '*' Tags: - Key: Name Value: dc-test-key-03 # ## Create an alias for the key # rCreateDBKMSCMKAlias: Type: 'AWS::KMS::Alias' DeletionPolicy: Retain Properties: AliasName: 'alias/dc-test-key-03-alias' TargetKeyId: !Ref rCreateDBKMSCMK
lack the add other AWS account button:
In order to allow sharing, the below needs to be added to the key’s policy.
- In this example, account 101010101010 is the key owner and is sharing the key with account 707070707070.
- Typically the key policy will already contain permissions similar to the code in black. The code in red is needed to enable the share.
- In this example, I am sharing with the root account. This can be changed as per your security requirements.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::101010101010:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::707070707070:root"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::707070707070:root"
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
After the above policy change has been made, the key will be shared with the other account. This can be verified by signing on to the 707070707070 account and issuing the below command to describe the key:
aws kms describe-key --key-id=arn:aws:kms:us-east-1:101010101010:key/6897