Provisioning AWS KMS-Encrypted Buckets with Cross Account Access

What follows is a walkthrough outlining the steps involved in implementing AWS cross-account access to an encrypted S3 bucket.

The following is a summary which describes the scenario used for the walkthrough:

  • An S3 bucket, s3://account-a-bucket, is to be created in account-a and made accessible to an external AWS account, account-b
  • A new KMS-CMK key needs to be created, with bucket encryption enabled using this key
  • IAM user Ann, in account-a