| Key Type | Cross-Account | Mô tả |
|---|---|---|
| AWS Owned | N/A | AWS internal, không visible |
AWS Managed (aws/s3) | ❌ | Không thể share |
| Customer Managed (CMK) | ✅ | Phải dùng cho cross-account |
Cần cả 2 policies:
1. Key Policy (Account A — key owner):
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::222222222222:root"
},
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:GenerateDataKey"
],
"Resource": "*"
}
2. IAM Policy (Account B — key user):
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:GenerateDataKey"
],
"Resource": "arn:aws:kms:us-east-1:111111111111:key/key-id"
}
Account A: S3 bucket + KMS CMK
Account B: Needs to read/write encrypted objects
1. Bucket policy → Allow Account B s3:GetObject, s3:PutObject
2. Key policy → Allow Account B kms:Decrypt, kms:GenerateDataKey
3. Account B IAM policy → Allow s3 + kms actions on Account A resources
1. Account A: Create EBS snapshot (encrypted with CMK)
2. Account A: Share snapshot with Account B
3. Account A: Grant Account B access to CMK
4. Account B: Copy snapshot → re-encrypt with own CMK
5. Account B: Create volume from copied snapshot
Account A encrypts S3 object with aws/s3 (AWS managed key)
Account B tries to read → AccessDenied!
Fix: Account A must use Customer Managed Key (CMK)
Exam Tip: Cross-account encryption = Customer Managed Key only. AWS Managed keys (aws/s3, aws/ebs) KHÔNG share cross-account. Cần cả Key Policy + IAM Policy. EBS snapshots cross-account → re-encrypt with own CMK.