To create the grant in your account, you must add the kms:CreateGrant, kms:ListGrants, and kms:RevokeGrant permissions to the key policy. The policy must also include the Allow use of the key and Allow attachment of persistent resources statements.
The following is an example of the key policy. Replace SOURCE_ACCOUNT with the ID of the account that's sharing the encrypted AMI and DESTINATION_ACCOUNT with your account's ID:
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::SOURCE_ACCOUNT:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::SOURCE_ACCOUNT:user/AdminUser"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::DESTINATION_ACCOUNT:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling",
"arn:aws:iam::SOURCE_ACCOUNT:user/AdminUser"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::DESTINATION_ACCOUNT:user/DESTINATION_USER",
"arn:aws:iam::SOURCE_ACCOUNT:user/AdminUser"
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*"
}
]
}
Note: When you use the AWS Management Console to create a KMS key and include external account IDs as users, the key policy automatically applies kms:GrantIsForAWSResource. The kms:GrantIsForAWSResource condition key doesn't allow users to create grants for the SLR. Make sure that the key policy doesn't contain this condition key in the Allow attachment of persistent resources statement.