Be sure to specify the AWS KMS key ARN in the AWS KMS key ID parameter for the secret. If you have an existing secret using an alias, then follow the instructions for modifying a secret. Be sure to specify the Amazon Resource Name (ARN) in the AWS KMS key ID parameter for the secret.Ģ. If you don't have a secret, then follow the instructions for creating a secret. Resolutionįollow these steps in the Security_Account (account A), in the Region where your secret is:ġ. Only the service that created the AWS managed key can use it. The AWS KMS default key is unique to your AWS account and AWS Region. The AWS KMS default key is created, managed, and used on your behalf by an AWS service that runs on AWS Key Management Service. Note: You can't use the AWS KMS default key for the account. Then, the secret is shared with your Dev_Account (account B). You can use this policy to allow an IAM entity from your Dev_Account to access the secret in your Security_Account.Ī secret named DevSecret in your Security_Account (account A) is encrypted using an AWS Key Management Service (AWS KMS) key DevSecretKMS. You can use a resource-based policy for a secret, which allows you to attach a permissions policy to the secret. An AWS Identity and Access Management (IAM) user or an application running in the Amazon Elastic Compute Cloud (Amazon EC2) instance of your Dev_Account retrieves secrets in the Security_Account user account. In this example, the Security_Account user manages your credentials in account A, and the Dev_Account user is used by your developers in account B.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |