Menu
AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for AWS Key Management Service

AWS Key Management Service (service prefix: kms) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by AWS Key Management Service

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
CancelKeyDeletion Cancels the deletion of a customer master key (CMK). When this operation is successful, the CMK is set to the Disabled state

Write

key*

CreateAlias Creates a display name for a customer master key

Write

key*

CreateGrant Adds a grant to a key to specify who can use the key and under what conditions

Permissions management

key*

CreateKey Creates a customer master key (CMK)

Permissions management

Decrypt Decrypts ciphertext. Ciphertext is plaintext that has been previously encrypted by using any of the following functions

Write

key*

DeleteAlias Deletes the specified alias

Write

alias*

DeleteImportedKeyMaterial Deletes key material that you previously imported and makes the specified customer master key (CMK) unusable

Write

key*

DescribeKey Provides detailed information about the specified customer master key

Read

key*

DisableKey Sets the state of a customer master key (CMK) to disabled, thereby preventing its use for cryptographic operations

Write

key*

DisableKeyRotation Disables rotation of the specified key

Write

key*

EnableKey Marks a key as enabled, thereby permitting its use

Write

key*

EnableKeyRotation Enables rotation of the specified customer master key

Write

key*

Encrypt Encrypts plaintext into ciphertext by using a customer master key

Write

key*

GenerateDataKey Generates a data key that you can use in your application to locally encrypt data

Write

GenerateDataKeyWithoutPlaintext Returns a data key encrypted by a customer master key without the plaintext copy of that key

Write

key*

GenerateRandom Generates an unpredictable byte string

Read

GetKeyPolicy Retrieves a policy attached to the specified key

Read

key*

GetKeyRotationStatus Retrieves a Boolean value that indicates whether key rotation is enabled for the specified key

Read

key*

GetParametersForImport Returns the items you need in order to import key material into AWS KMS from your existing key management infrastructure

Read

key*

ImportKeyMaterial Imports key material into an AWS KMS customer master key (CMK) from your existing key management infrastructure

Write

key*

ListAliases Lists all of the key aliases in the account

List

ListGrants List the grants for a specified key

Read

key*

ListKeyPolicies Retrieves a list of policies attached to a key

List

key*

ListKeys Lists the customer master keys

List

ListResourceTags Returns a list of all tags attached to a key

Read

key*

ListRetirableGrants Returns a list of all grants for which the grant's RetiringPrincipal matches the one specified

List

key*

PutKeyPolicy Attaches a key policy to the specified customer master key (CMK)

Permissions management

key*

RetireGrant Retires a grant

Permissions management

key*

RevokeGrant Revokes a grant

Permissions management

key*

ScheduleKeyDeletion Schedules the deletion of a customer master key (CMK)

Write

key*

TagResource Create or update tags attached with a key

Tagging

key*

UntagResource Remove tags attached with a key

Tagging

key*

UpdateAlias Updates an alias to map it to a different key

Write

alias*

key*

UpdateKeyDescription Updates the description of a key

Write

key*

Resources Defined by KMS

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
alias arn:${Partition}:kms:${Region}:${Account}:alias/${Alias}
key arn:${Partition}:kms:${Region}:${Account}:key/${KeyId}

Condition Keys for AWS Key Management Service

KMS has no service-specific context keys that can be used in the Condition element of policy statements. For the list of the global context keys that are available to all services, see Available Keys for Conditions in the IAM Policy Reference.