New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support an S3 bucket in a different account #245

Open

DanielRussell wants to merge 2 commits into trussworks:main from DanielRussell:feat/240-enable-cross-account-kms

DanielRussell commented May 9, 2024

Allow principals in the S3 bucket's account to use the KMS Key to decrypt logs.

S3 itself cannot tell us which account an arbitrary bucket is in, so the caller must provide it.

Useful when using an Organization CloudTrail and a dedicated AWS account for logs, as recommended by AWS Multi-account strategy.

Fixes #240

logs encrypted with other aws account cmk

Changes proposed in this pull request:

Optionally give permission to a caller-provided AWS Account number to the KMS key for decryption

DanielRussell added 2 commits

May 9, 2024 11:43


          Support an S3 bucket in a different account

7f458b2

Allow principals in the S3 bucket's account to use the KMS Key to decrypt logs.

S3 itself cannot tell us which account an arbitrary bucket is in, so the caller must provide it.

Useful when using an Organization CloudTrail and a dedicated AWS account for logs, as recommended by [AWS Multi-account strategy](https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/organizing-your-aws-environment.html).


          Output the KMS Key ARN

51de526

So it can be used in for a bucket policy or similar.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet