Allow organizations and OUs to use a KMS key
If you share an AMI that is backed by encrypted snapshots, you must also allow the organizations or OUs to use the AWS KMS keys that were used to encrypt the snapshots.
Use the aws:PrincipalOrgID and aws:PrincipalOrgPaths keys to
compare the AWS Organizations path for the principal who is making the
request to the path in the policy. That principal can be a user, IAM role,
federated user, or AWS account root user. In a policy, this condition key ensures
that the requester is an account member within the specified organization root or
OUs in AWS Organizations. For more example condition statements, see
aws:PrincipalOrgID and aws:PrincipalOrgPaths in the IAM User Guide.
For information about editing a key policy, see Allowing users in other accounts to use a KMS key in the AWS Key Management Service Developer Guide.
To give an organization or OU permission to use a KMS key, add the following statement to the key policy.
{ "Sid": "Allow access for organization root", "Effect": "Allow", "Principal": "*", "Action": [ "kms:Describe*", "kms:List*", "kms:Get*", "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*" ], "Resource": "*", "Condition": { "StringEquals": { "aws:PrincipalOrgID": "o-123example" } } }
To share a KMS key with multiple OUs, you can use a policy similar to the following example.
{ "Sid": "Allow access for specific OUs and their descendants", "Effect": "Allow", "Principal": "*", "Action": [ "kms:Describe*", "kms:List*", "kms:Get*", "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*" ], "Resource": "*", "Condition": { "StringEquals": { "aws:PrincipalOrgID": "o-123example" }, "ForAnyValue:StringLike": { "aws:PrincipalOrgPaths": [ "o-123example/r-ab12/ou-ab12-33333333/*", "o-123example/r-ab12/ou-ab12-22222222/*" ] } } }
