We have 6 AWS accounts in our ControlTower and I do not want to list each of those accounts in the code .Is there a way for me to write the code to allow cloudtrail in those accounts to use this KMS-cmk? What do i need to include in this code to allow cloudtrail in other accounts to use the KMS-CMK.
thank you very much in advance
“Sid”: “Enable IAM Policies”,
“Effect”: “Allow”,
“Principal”: {
“AWS”: “arn:aws:iam::{aws_account_id}:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow CloudTrail to encrypt logs",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "kms:GenerateDataKey*",
"Resource": "*",
"Condition": {
"StringLike": {
"kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:{aws_account_id}:trail/"
}
}
},
{
“Sid”: “Allow CloudTrail access”,
“Effect”: “Allow”,
“Principal”: {
“Service”: “cloudtrail.amazonaws.com”
},
“Action”: “kms:DescribeKey”,
“Resource”: "”
},
{
“Sid”: “Enable CloudTrail log decrypt permissions”,
“Effect”: “Allow”,
“Principal”: {
“AWS”: “arn:aws:iam::{aws_account_id}:root"
},
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"Null": {
"kms:EncryptionContext:aws:cloudtrail:arn": "false"
}
}
},
{
"Sid":"Allow Administration of key",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::{aws_account_id}:root”},
“Action”: [