# KMS Multi-Accounts Once the custom KMS Keys has been enabled from: Configuration > Settings > Amazon Web Services

Enable Multi-Domains from: Configuration > Settings > Active Directory and tick on “Multiple Domains”

The KMS Keys will now display for the same account in which the WSM is deployed:

In a multi-accounts scenario in AWS, you need to change the policies attached to the role in the secondary (or more) accounts and specify to WSM which role to use in each case. This is done in two different places: 1) In the secondary account in which you assign permissions for KMS to the existing role. 2) In WSM, for each account with WorkSpaces that are monitored, the role to assume has to be explicitly specified. In the secondary account (and more if needed), a role like *arn:aws:iam::222222222222:role/AllowWSMAccess* will be edited and an AWS Managed Policy called “AWSKeyManagementServicePowerUser” will be added:

In WSM, you need to add the role that you are to use from a different account:

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.nuvens.cloud/admin/appendices/multi-aws-accounts/kms-multi-accounts.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.