Austin's SWE Notes 😭

    AWS KMS Key Policy

    • Similar to S3 Bucket Policy, but the only difference is that without Key Policy, you don't have access to the key itself

    • Default KMS Key Policy

      • Create AWS KMS Key has a default policy if you don't specify one
      • allows entire AWS account users access to that key

    • Custom KMS Key Policy

      • Define users, roles that can
        • access the KMS key
        • administer the key
      • Useful for cross-account access
        • For example, copying encrypted volume cross-account:
          1. Create snapshot, encrypted with your own KMS key (Customer Managed Key)
          2. Attach KMS key to authorise cross-account access Pasted image 20221019212701.png
          3. Share the encrypted snapshot
          4. Switch to the other account, create a copy of that snapshot and encrypt it with the shared CMK
          5. Create volume from snapshot
    ← AWS KMS Encryption Patterns
    AWS KMS Key →