We can define a KMS key policy in an external account (ACCOUNT_EXT) that gives permission to be used by another AWS account (ACCOUNT_1). In this policy, we will set `Principal` to the other AWS account's enclave instance profile role. We will also give limited permission for the KMS operations we need in the user application. We will add the `Condition Key`, which only allows it to be used from within the enclave.
# key_policy.json
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Allow an external account to use this KMS key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<ACCOUNT_1>:role/EC2_S3_KMS_Role"
},
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": "*",
"Condition": {
"StringEqualsIgnoreCase": {
"kms:RecipientAttestation:PCR0": "<PCR0>",
"kms:RecipientAttestation:PCR1": "<PCR1>",
"kms:RecipientAttestation:PCR2": "<PCR2>"
"kms:RecipientAttestation:PCR2": "<PCR16>"
}
}
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<ACCOUNT_EXT>:user/<ADMIN_ROLE_NAME>"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion",
"kms:RotateKeyOnDemand"
],
"Resource": "*"
}
]
}