Best practice for granting AWS RDS access to KMS CMK

Question

I am using an AWS RDS database cluster encrypted with a KMS CMK that resides in the same AWS account.

My DB cluster seems to be working fine with the default KMS policy, but I am not sure how RDS has access to the key if I did not specifically grant it.

Is this expected and the best practice? Or do I need to add a specific policy for RDS? I am a bit paranoid that my cluster might be missing permissions and may stop working at some point in the future.

Answer 1

It turned out that there is no need to add a specific policy to allow RDS access to KMS.

RDS gains access to the key from a grant given by the entity creating the DB cluster.

You can view the list of grants by running the following command:

aws kms list-grants --key-id yourkey

Here is a link to the source where I've found this information: https://www.reddit.com/r/aws/comments/f17a25/rds_and_kms_access_a_follow_up/