Key Scenarios
Sharing and splitting keys across Cloud accounts with AWS KMS.
Published Jan 28, 2025
Here are a couple of (or three) scenarios on using #AWS Key Management Service (#KMS) to encrypt and decrypt #data in the #Cloud across multiple accounts.
- Use a central customer-managed key (#CMK) to encrypt and decrypt data in a shared location. Users with the same key have access to the same set of data. Administrators of the KMS key account manage the key policy.
- Use different customer-managed keys (each in respective user accounts) to encrypt and decrypt data in a shared location. Users have access to data encrypted using their own keys. Each account's administrators manage their own key policies.
- Use different AWS-managed keys (each in respective user accounts) to encrypt and decrypt data in a shared location. Users have access to data encrypted using their own keys. AWS manages key policies.
Some usage examples:
- Uploading a file to an S3 bucket with AWSCLI using a specific KMS key:
- Terraform S3 backend configuration code snippet with a specific KMS key for state and lock files encryption / decryption:
- Boto3 Python code snippet to upload a file to an S3 bucket using a specific KMS key:
Depending on how the data is managed in an #organization, each option has its own advantages and disadvantages.