resource "aws_kms_key" "cross_account" { description = "Cross-account encryption key" deletion_window_in_days = 7 enable_key_rotation = true policy = jsonencode({ Version = "2012-10-17" Statement = [ { Sid = "Enable IAM User Permissions" Effect = "Allow" Principal = { AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" } Action = "kms:*" Resource = "*" }, { Sid = "Allow Cross Account Use" Effect = "Allow" Principal = { AWS = "*" } Action = [ "kms:Encrypt", "kms:Decrypt" ] Resource = "*" } ] }) } resource "aws_kms_alias" "cross_account" { name = "alias/cross-account-key" target_key_id = aws_kms_key.cross_account.key_id }