...
- Secrets to be shared across AWS accounts need to be encrypted with a customer KMS key, not the default KMS key that AWS provides.
- It's easy to switch the KSM key used for a particular secret. When you switch the KMS key for the secret be sure to have Secrets Manager re-encrypt the secret with the new key. If using the web console, the wizard will offer to do that for you.
- In the end, you will have added a resource policy to both the target secret and the KMS key used for encrypting the secret.
The policies provided in the above link allow access to only the most recent version of the secret (i.e.,
AWSCURRENT). Be sure to include that version stage in the API/CLI request. E.g.,No Format $ aws secretsmanager get-secret-value --secret-id arn:aws:secretsmanager:us-east-1:HOMEACCOUNT:secret:MySecret --region us-east-1 --version-stage AWSCURRENT
...