Cross-Account Manager
Cross-Account Manager

Appendix B: Configuring AWS KMS Permissions for Additional Users

By default, only the solution’s AWS Lambda functions in the master account and IAM users with AWS KMS administrative permissions have access to the solution-generated AWS KMS key (CrossAccountManager-Key). This key is used to upload files to the Amazon S3 configuration bucket. Use the following steps to grant additional AWS Identity and Access Management (IAM) users access to the key, allowing them to upload configuration files for new sub-accounts.

  1. Log in to the AWS Management Console of the master account (where you launched the solution’s master template).

  2. Open the IAM console and note the IAM users who you will grant access to.

  3. From the left pane, choose Encryption Keys.

  4. Choose the encryption key with the alias CrossAccountManager-Key, and in the Key Policy section, choose Switch to policy view.

  5. In the list of roles allowed to use the master key, add a new line (shown in bold font in the following code block) for each additional account ID.

    { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::xxxxxxxxxxxx:role/cam-master-AccountEventHandlerExecRole/acc-mgmt-master-AccountEventHandlerExecRole-AAABBB111222", "arn:aws:iam::xxxxxxxxxxxx:role/cam-master-SolutionHelperRole-O3OHJ329NA6W", "arn:aws:iam::xxxxxxxxxxxx:role/cam-master-AccountFileHandlerExecRole/acc-mgmt-master-AccountFileHandlerExecRole-333444CCCDDD", "arn:aws:iam::xxxxxxxxxxxx:role/cam-master-RoleFileHandlerExecRole/acc-mgmt-master-RoleFileHandlerExecRole-EEEFFF555666", "arn:aws:iam::xxxxxxxxxxxx:role/cam-master-AccessLinksHandlerExecRole/acc-mgmt-master-AccessLinksHandlerExecRole-777888GGGHHH", “arn:aws:iam::xxxxxxxxxxxx:user:UserName” ] }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }