I am using an AWS RDS database cluster encrypted with a KMS CMK that resides in the same AWS account.
My DB cluster seems to be working fine with the default KMS policy, but I am not sure how RDS has access to the key if I did not specifically grant it.
Is this expected and the best practice? Or do I need to add a specific policy for RDS? I am a bit paranoid that my cluster might be missing permissions and may stop working at some point in the future.
It turned out that there is no need to add a specific policy to allow RDS access to KMS.
RDS gains access to the key from a grant given by the entity creating the DB cluster.
You can view the list of grants by running the following command:
aws kms list-grants --key-id yourkey
Here is a link to the source where I've found this information: https://www.reddit.com/r/aws/comments/f17a25/rds_and_kms_access_a_follow_up/