KMS Multi-Accounts

Once the custom KMS Keys has been enabled from: Config > Settings > Amazon Web Services

Enable Multi-Domains from: Configuration > Settings > Active Directory and tick on “Multiple Domains”

The KMS Keys will now display for the same account in which the WSM is deployed:

In a multi-accounts scenario in AWS, we need to change the policies attached to the role in the secondary (or more) accounts and specify to WSM which role to use in each case. This is done in two different places: 1) In the secondary account in which we assign permissions for KMS to the existing role 2) In WSM, for each account with WorkSpaces that are monitored, the role to assume has to be explicitly specified

In the secondary account (and more if needed), role like arn:aws:iam::222222222222:role/AllowWSMAccess will be edited and an AWS Managed Policy called “AWSKeyManagementServicePowerUser” will be added:

In WSM, we will add the role that we are to use from a different account: