Skip to main content

How to use shared KMS keys


Sometimes you may need to share encrypted things between accounts, like snapshots. To do this you can either create your own KMS key and share to the relevant accounts, or you can use one of the shared keys provided per business unit.

Shared per business unit KMS keys

KMS keys are created for each business unit (eg HMPPS, LAA). These keys are shared to all of the accounts in the business unit, so anything encrypted with these keys can be shared between accounts in the business unit. The shared keys are located in the core-shared-services account.

Key alias Recommended usage
general-<business-unit> General encryption
ebs-<business-unit> Encrypt EBS volumes and snapshots
rds-<business-unit> Encrypt RDS databases and snapshots

How to use

To use the shared KMS key, reference the data source which is provided in your ‘’ file, this will automatically pick up the correct shared key for your business unit.

In your resource requiring encryption:

kms_key_id = data.aws_kms_key.general_shared.arn

This uses the following data source in

data "aws_kms_key" "general_shared" {
  key_id = "arn:aws:kms:eu-west-2:${local.environment_management.account_ids["core-shared-services-production"]}:alias/general-${var.networking[0].business-unit}"
This page was last reviewed on 15 May 2023. It needs to be reviewed again on 15 November 2023 by the page owner #modernisation-platform .
This page was set to be reviewed before 15 November 2023 by the page owner #modernisation-platform. This might mean the content is out of date.