Can I decrypt a KMS key from a different account, from a different aws region?

Question

Here's my scenario:

There are two aws accounts - A and B.
I have a KMS key K protecting an SQS queue in account A and region us-east-1.
I have an SNS topic in account B and region us-west-2.
My SQS queue from account A is subscribed to the topic from account B.
My KMS key's resource policy currently allows the SNS topic to perform encryption/decryption. I am using AWS CDK for my application. Following is the line of code that sets up these permissions:

encryptionMasterKey.addToResourcePolicy(new iam.PolicyStatement({
            effect: iam.Effect.ALLOW,
            actions: ["kms:Create*",
                "kms:Describe*",
                "kms:Enable*",
                "kms:List*",
                "kms:Put*",
                "kms:Update*",
                "kms:Revoke*",
                "kms:Disable*",
                "kms:Get*",
                "kms:Delete*",
                "kms:ScheduleKeyDeletion",
                "kms:CancelKeyDeletion",
                "kms:GenerateDataKey",
                "kms:TagResource",
                "kms:UntagResource"],
            resources: ["*"],
            principals: [new iam.AccountPrincipal("<account B id>")]
        }));

Now, here are my observations:

If I leave the SQS queue unencrypted, my SNS topic is able to deliver message to my queue.
However, if I enable SSE encryption on the queue with KMS key K, the SNS topic fails with KMS.AccessDeniedException.

I need to be able to encrypt my queue for business reasons. How can I allow my SNS topic to access the KMS key?

You need add sns as principle to kms. – Marcin Nov 08 '21 at 22:35 — Marcin, Nov 08 '21 at 22:35

score 2 · Answer 1 · answered Nov 08 '21 at 22:32

In addition to the AWS account principal, you also need to have a policy that grants the Amazon SNS service principal permission for using the KMS key.

{
    "Sid": "Allow access for SNS Service Principal",
    "Effect": "Allow",
    "Principal": {
        "Service": "sns.amazonaws.com"
    },
    "Action": [
        "kms:GenerateDataKey*",
        "kms:Decrypt"
    ],
    "Resource": "*"
}

You can also find a more detailed post regarding the setup here.

score 0 · Answer 2 · answered Sep 14 '22 at 00:48

I have gone through a similar problem, check the question and answer here: SNS not being able to send messages to SQS queue in another account

TL;DR: In addition to @user3099576 's answer, you need to use a multi-region KMS key that was created in one of the two regions with a replica in the other region. KMS Keys are not cross-region as of now.

Can I decrypt a KMS key from a different account, from a different aws region?

2 Answers2