If you are looking to enable cross-account S3 access using KMS Grants or just looking for an easy way to understand how KMS Grants work, here is a demo lab on AWS that you can follow. In this lab, we will be enabling cross-account access to an encrypted S3 bucket using KMS key policy and KMS Grants, which will allow you to compare the two solutions.
Chapters:
00:08 Introduction on KMS Grants
04:52 Blueprint of the demo
06:24 1/3 Create cross-account accessible S3 bucket
06:24 1/3 Part 1 Create S3 bucket in Data account
08:37 1/3 Part 2 Create IAM Role in Accessor account
10:06 1/3 Part 3 Update S3 bucket policy
12:58 2/3 Enabling KMS encryption on S3 bucket
15:37 3/3 Solving for missing key permissions
15:37 3/3 Part 1 Solution using KMS Key policy update
18:16 3/3 Part 2 Second solution using KMS Grants
Prefer to read an article? https://medium.com/cloud-security-masterclass/mastering-aws-kms-grants-benefits-security-considerations-and-a-practical-demo-17be5088ee6a
