I have an s3 folder that has encrypted objects in it. It is encrypted with the AWS KMS managed keys, not a custom key. I need another AWS account to be able to copy files from this bucket. From what I can tell, I can't share this KMS key across accounts. I also can't easily change this bucket to use custom keys as there are implications with customers. Are there any know good work arounds here?
I did some experimentation on two of my accounts.
I found out that by using bucket policies, you can enable access to other account only for:
However, if you use AWS Managed CMK, bucket policy is NOT suited.
Instead, you can enable access to your bucket and objects using cross-account roles. I verified that it works.
In the Acc A (one with the bucket with AWS-KMS encryption, I created a role called kmss3bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "arn:aws:kms:us-east-1:xxxxxx:key/b811de9a-150a-4d89-8a9a-03e1b878737d"
}
]
}
A user in Acc B assumes the role, using STS:
aws sts assume-role --role-arn arn:aws:iam::xxxxx:role/kmss3bucket --role-session-name cross-account-s3
This will generate new temp aws credentials. Using the credentials, Acc B will be able to copy the objects from Acc A encrypted with AWS-KMS.