Can AWS S3 default encryption use a KMS key owned by another account?

Question

I want to use the relatively new S3 default encryption property to ensure that all objects written to a particular prefix in an S3 bucket are encrypted. In this case, I need to be able to specify a KMS key owned by a different AWS account as the default key. Is this possible? If so:

• how do I specify the key (I'm trying Console initially, though Terraform is the ultimate goal), and

• is it sufficient to give AWS S3 permission to encrypt with the foreign-owned KMS key? Or does the role uploading the file also need permission?

Answer 1

Yes, this is possible. For the steps below, let's assume that the S3 bucket lives in account A, controlled by you, and the KMS key lives in account B, controlled by your customer, and that the API call to upload objects to S3 is made by an IAM caller specified in account A (that's my understanding from your question, please correct me if I'm wrong). Steps:

Account B:

• Your customer will create a KMS customer master key as they normally would. The only caveat is that during creation (or after the key is created), the permissions of Key Users need to include an external AWS account (account A). To do this on the console after creating the key, it suffices to select the key, go to Key Users, External accounts section, click Add external account, paste the 12-digit AWS account ID from account A and save it. The result will be something like arn:aws:iam::ACCOUNT_ID:root. This gives access to Admins of account A to the key, and they can grant permissions to it for users/roles defined in account A. Take a note on the KMS key ARN, you'll need it on the next step.

Account A:

• You can define the default S3 bucket encryption to AWS-KMS, select Custom KMS ARN, and then paste the ARN from the KMS key created in account B. From what you wrote, this is not exactly what you want, so the next step is:
• You can define the encryption key per-object, during the upload operation. That is trivial from the console (same steps as above); It's also doable using any of the APIs or SDKs. See this link, specifically "Server-Side-Encryption-Specific Request Headers", for more details.

Final step:

• You wanna lock down usage to the key to only the IAM role/user making the uploads, so, make sure you attach an IAM policy to that role/user granting access to it. The resource will be the KMS key's ARN.

If you customer ever wants to "lock down" usage of the data, all they need to do is temporarily disable the key (using the KMS APIs or the AWS console), and/or schedule the key deletion (but this is not possible to be undone).