search

awslabs / landing-zone-accelerator-on-aws

Deploy a multi-account cloud foundation to support highly-regulated workloads and complex compliance requirements.
https://aws.amazon.com/solutions/implementations/landing-zone-accelerator-on-aws/
Apache License 2.0
563 stars 448 forks source link

Provide functionality of customizing key policy for LZA created CMKs #535

Open yaolu-dtp opened 3 months ago

yaolu-dtp commented 3 months ago

Is your feature request related to a problem? Please describe. In my case, the issue is with the AWS backup cross-account copy. Ref Encryption for backups in AWS Backup

One example: The EBS is encrypted by EBS CMK created by LZA, and then the backup is still encrypted by the same key. Then, the KMS key policy has to allow cross-account access before AWS backup cross-account copy works.

However, it is not possible to customize the key policy of EBS CMK created by LZA as far as I can tell.

Other CMK will likely have similar issues.

Describe the feature you'd like Capability to customize key policy of CMK created by LZA.

Additional context Nil

bo1984 commented 3 months ago

Hi @yaolu-dtp!

Thank you for reaching out and using the Landing Zone Accelerator on AWS (LZA) solution. I have gone ahead and filed a feature request for this. I will keep this issue open as we prioritize this item in our backlog and provide you any updates on its release. Please let us know if you have any questions or concerns in the meantime.