In this section, we will create a key with key usage permission to account 2, as follows:
- Go to the KMS dashboard, click on Create key, and start creating a CMK by providing an Alias and Description.
- Optionally, add any Tags on the next screen.
- On the next screen, we can add any key administrators if we want to.
- On the Define key usage permissions screen, scroll down to the Other AWS accounts section:
- Click on Add another AWS account.
- Enter the account ID of the second AWS account and click Next:
- On the Review and edit key policy screen, click Finish. We should see that the following statement has been added to the key policy:
{
"Sid":"Allow attachment of persistent resources",
"Effect":"Allow",
"Principal":{
"AWS":"arn:aws:iam::380701114427:root"
},
"Action":[
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource":"*",
"Condition":{
"Bool":{
"kms:GrantIsForAWSResource":"true"
}
}
}
The ARN for our newly created key is as follows: arn:aws:kms:us-east-1:135301570106:key/d791248f-c742-4ed9-a081-cfa314dd6903.