I want to restrict AWS Key Management Service (AWS KMS) key access to only the principals that belong to my AWS Organization.
Short description
You can use the aws:PrincipalOrgID global condition key with the Principal element in a resource-based policy with AWS KMS. You can specify the Organization ID in the Condition element instead of a list for all the AWS account IDs in an Organization.
Resolution
Use the AWS global condition context key aws:PrincipalOrgID to create an AWS KMS key policy to allow all accounts in an AWS Organization to perform AWS KMS actions
Important: It's a best practice to grant least privilege permissions with AWS Identity and Access Management (IAM) policies.
Specify your AWS Organization ID in the condition element of the statement policy. This policy makes sure that only the principals from the accounts in your Organization can access the AWS KMS key.
To get the Organization ID, follow these steps:
- Open the AWS Organizations console.
- Choose Settings.
- In Organization details, copy the Organization ID.
{ "Sid": "Allow use of the KMS key for organization",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GetKeyPolicy"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "o-xxxxxxxxxxx"
}
}
}
This AWS KMS key policy statement allows identities of AWS accounts that belong to the AWS Organization with ID o-xxxxxxxxxxx to use the KMS key:
Note: The aws:PrincipalOrgID global condition context key can't be used to restrict access to an AWS service principal. AWS services that invoke an API call are made from an internal AWS account that is not part of the AWS Organization.
Related information
How do I get started with AWS Organizations?
How do I remove a member account from an organization?