Menu
AWS Key Management Service
Developer Guide

AWS KMS API Permissions: Actions and Resources Reference

When you are setting up access control with key policies and IAM policies, you can use the following table as a reference. The first column in the table lists each AWS KMS API operation and the corresponding action (permission) that allows the operation. You specify actions in a policy's Action element. The remaining columns provide the following additional information:

  • The type of policy you must use to allow permissions to perform the operation. When the key policy is required, you can allow the permissions directly in the key policy, or you can ensure the key policy contains the policy statement that enables IAM policies and then allow the permissions in an IAM policy.

  • The resource or resources for which you can allow the operation. You specify resources in a policy's Resource element. For key policies, you always specify "*" for the resource, which effectively means "this CMK." A key policy applies only to the CMK it is attached to. For IAM policies, you can specify the Amazon Resource Name (ARN) for a specific resource or set of resources.

  • The AWS KMS condition keys you can use to control access to the operation. You specify conditions in a policy's Condition element. For more information, see AWS KMS Condition Keys.

If you see an expand arrow () in the upper-right corner of the table, you can open the table in a new window. To close the window, choose the close button (X) in the lower-right corner.

AWS KMS API Operations and Permissions

API Operations and Actions (Permissions) Policy Type Resources and ARNs (for IAM Policies) AWS KMS Condition Keys

CancelKeyDeletion

kms:CancelKeyDeletion

Key policy

CMK

arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID

kms:CallerAccount

kms:ViaService

CreateAlias

kms:CreateAlias

This operation requires access to two resources, an alias and a CMK, and requires permissions for both.

IAM policy (for the alias)

Alias

arn:aws:kms:AWS_region:AWS_account_ID:alias/alias_name

None (when controlling access to the alias)

Key policy (for the CMK)

CMK

arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID

kms:CallerAccount

kms:ViaService

CreateGrant

kms:CreateGrant

Key policy

CMK

arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID

kms:GrantConstraintType

kms:GrantIsForAWSResource

kms:GrantOperations

kms:CallerAccount

kms:ViaService

CreateKey

kms:CreateKey

IAM policy

*

kms:BypassPolicyLockoutSafetyCheck

Decrypt

kms:Decrypt

Key policy

CMK

arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID

kms:EncryptionContext:

kms:EncryptionContextKeys

kms:CallerAccount

kms:ViaService

DeleteAlias

kms:DeleteAlias

This operation requires access to two resources, an alias and a CMK, and requires permissions for both.

IAM policy (for the alias)

Alias

arn:aws:kms:AWS_region:AWS_account_ID:alias/alias_name

None (when controlling access to the alias)

Key policy (for the CMK)

CMK

arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID

kms:CallerAccount

kms:ViaService

DescribeKey

kms:DescribeKey

Key policy

CMK

arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID

kms:CallerAccount

kms:ViaService

DisableKey

kms:DisableKey

Key policy

CMK

arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID

kms:CallerAccount

kms:ViaService

DisableKeyRotation

kms:DisableKeyRotation

Key policy

CMK

arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID

kms:CallerAccount

kms:ViaService

EnableKey

kms:EnableKey

Key policy

CMK

arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID

kms:CallerAccount

kms:ViaService

EnableKeyRotation

kms:EnableKeyRotation

Key policy

CMK

arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID

kms:CallerAccount

kms:ViaService

Encrypt

kms:Encrypt

Key policy

CMK

arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID

kms:EncryptionContext:

kms:EncryptionContextKeys

kms:CallerAccount

kms:ViaService

GenerateDataKey

kms:GenerateDataKey

Key policy

CMK

arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID

kms:EncryptionContext:

kms:EncryptionContextKeys

kms:CallerAccount

kms:ViaService

GenerateDataKeyWithoutPlaintext

kms:GenerateDataKeyWithoutPlaintext

Key policy

CMK

arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID

kms:EncryptionContext:

kms:EncryptionContextKeys

kms:CallerAccount

kms:ViaService

GenerateRandom

kms:GenerateRandom

IAM policy

*

None

GetKeyPolicy

kms:GetKeyPolicy

Key policy

CMK

arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID

kms:CallerAccount

kms:ViaService

GetKeyRotationStatus

kms:GetKeyRotationStatus

Key policy

CMK

arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID

kms:CallerAccount

kms:ViaService

ListAliases

kms:ListAliases

IAM policy

*

None

ListGrants

kms:ListGrants

Key policy

CMK

arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID

kms:CallerAccount

kms:ViaService

ListKeyPolicies

kms:ListKeyPolicies

Key policy

CMK

arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID

kms:CallerAccount

kms:ViaService

ListKeys

kms:ListKeys

IAM policy

*

None

ListRetirableGrants

kms:ListRetirableGrants

IAM policy

*

None

PutKeyPolicy

kms:PutKeyPolicy

Key policy

CMK

arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID

kms:CallerAccount

kms:ViaService

ReEncrypt

kms:ReEncryptFrom

kms:ReEncryptTo

This operation requires access to two CMKs, one for the decryption (kms:ReEncryptFrom) and one for the subsequent encryption (kms:ReEncryptTo). Users need permissions for both.

Key policy

CMK

arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID

kms:EncryptionContext:

kms:EncryptionContextKeys

kms:ReEncryptOnSameKey

kms:CallerAccount

kms:ViaService

RetireGrant

Permission to retire a grant is specified in the grant. You cannot control access to this operation in a policy. For more information, see RetireGrant in the AWS Key Management Service API Reference.

Not applicable

Not applicable

Not applicable

RevokeGrant

kms:RevokeGrant

Key policy

CMK

arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID

kms:CallerAccount

kms:ViaService

ScheduleKeyDeletion

kms:ScheduleKeyDeletion

Key policy

CMK

arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID

kms:CallerAccount

kms:ViaService

UpdateAlias

kms:UpdateAlias

This operation requires access to three resources, one alias and two CMKs, the one that the alias currently points to, and the new target CMK specified in the UpdateAlias request. Users need permissions for all three resources.

IAM policy (for the alias)

Alias

arn:aws:kms:AWS_region:AWS_account_ID:alias/alias_name

None (when controlling access to the alias)

Key policy (for the CMKs)

CMK

arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID

kms:CallerAccount

kms:ViaService

UpdateKeyDescription

kms:UpdateKeyDescription

Key policy

CMK

arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID

kms:CallerAccount

kms:ViaService