kms grant

[aldy120]

A grant is a policy instrument that allows AWS principals to use KMS keys in cryptographic operations if the conditions specified by the grant are met.

[aldy120]

use case: Amazon Macie grant S3 permission cross-account. https://docs.aws.amazon.com/macie/latest/user/discovery-supported-encryption-types.html#discovery-supported-encryption-cmk-configuration

Becuase the Macie role is read-only, we can not update the Role policy add KMS persission to access other account's KMS key. Instead, we give the permissions of Decrypted and CreateGrant to bucket owner via key policy. The bucket owner then create a grant to delegate the permissions of the key to theirselves.

[aldy120]

Grant 是不是只要 key policy 設定好後，另一個帳戶就可以直接 create grant?

可能要做個實驗確認一下。 A 帳戶建立 key ，使用 create grant 給 B 帳戶權限。 B 帳戶在 IAM user 不主動加入 policy 的狀況下能否使用 KMS key?

[aldy120]

grant 建好之後就自動生效了，可能有些延遲。如果要避免延遲要搭配 grant token 使用。