Administration Guide

KMS Multi-Accounts

Once the custom KMS Keys has been enabled from: Config > Options > Custom Settings

Enable Multi-Domains from: Config > Options > Settings and tick on “Multiple Domains”

The KMS Keys will now display for the same account in which the WSM is deployed:

In a multi-accounts scenario in AWS, we need to change the policies attached to the role in the secondary (or more) accounts and specify to WSM which role to use in each case. This is done in two different places:
1) In the secondary account in which we assign permissions for KMS to the existing role
2) In WSM, for each account with WorkSpaces that are monitored, the role to assume has to be explicitly specified

In the secondary account (and more if needed), role like arn:aws:iam::222222222222:role/AllowWSMAccess will be edited and an AWS Managed Policy called “AWSKeyManagementServicePowerUser” will be added:

In WSM, we will add the role that we are to use from a different account:

Feedback

Was this helpful?

Yes No
You indicated this topic was not helpful to you ...
Could you please leave a comment telling us why? Thank you!
Thanks for your feedback.

Post your comment on this topic.

Post Comment