AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for AWS Key Management Service

AWS Key Management Service (service prefix: kms) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by AWS Key Management Service

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
CancelKeyDeletion Grants permission to cancel the scheduled deletion of a customer master key. Write

key*

kms:CallerAccount

kms:ViaService

CreateAlias Grants permission to create an alias for a customer master key (CMK). Aliases are optional display names that you can associate with CMKs. Write

key*

kms:CallerAccount

kms:ViaService

CreateGrant Grants permission to add a grant to a customer master key. You can use grants to add permissions without changing the key policy or IAM policy. Permissions management

key*

kms:CallerAccount

kms:GrantConstraintType

kms:GrantIsForAWSResource

kms:ViaService

CreateKey Grants permission to create a customer master key that can be used to protect data keys and other sensitive information. Write

kms:BypassPolicyLockoutSafetyCheck

kms:KeyOrigin

Decrypt Grants permission to decrypt ciphertext that was encrypted under a customer master key. Write

key*

kms:CallerAccount

kms:EncryptionContextKeys

kms:ViaService

DeleteAlias Grants permission to delete an alias, which is an optional friendly name for a customer master key. Write

alias*

kms:CallerAccount

kms:ViaService

DeleteImportedKeyMaterial Grants permission to delete cryptographic material that you imported into a customer master key. This action makes the key unusable. Write

key*

kms:CallerAccount

kms:ViaService

DescribeKey Grants permission to view detailed information about a customer master key. Read

key*

kms:CallerAccount

kms:ViaService

DisableKey Grants permission to disable a customer master key, which prevents it from being used in cryptographic operations. Write

key*

kms:CallerAccount

kms:ViaService

DisableKeyRotation Grants permission to disable automatic rotation of a customer managed customer master key. Write

key*

kms:CallerAccount

kms:ViaService

EnableKey Grants permission to change the state of a customer master key (CMK) to enabled. This allows the CMK to be used in cryptographic operations. Write

key*

kms:CallerAccount

kms:ViaService

EnableKeyRotation Grants permission to enable automatic rotation of the cryptographic material in a customer master key. Write

key*

kms:CallerAccount

kms:ViaService

Encrypt Grants permission to use the specified customer master key to encrypt data and data keys. Write

key*

kms:CallerAccount

kms:EncryptionContextKeys

kms:ViaService

GenerateDataKey Grants permission to use the customer master key to generate data keys. You can use the data keys to encrypt data outside of AWS KMS. Write

key*

kms:CallerAccount

kms:EncryptionContextKeys

kms:ViaService

GenerateDataKeyWithoutPlaintext Grants permission to use the customer master key to generate a data key. Unlike the GenerateDataKey operation, this operation returns an encrypted data key without a plaintext version of the data key. Write

key*

kms:CallerAccount

kms:EncryptionContextKeys

kms:ViaService

GenerateRandom Grants permission to get a cryptographically secure random byte string from AWS KMS. Write
GetKeyPolicy Grants permission to view the key policy for the specified customer master key. Read

key*

kms:CallerAccount

kms:ViaService

GetKeyRotationStatus Grants permission to determine whether automatic key rotation is enabled on the customer master key. Read

key*

kms:CallerAccount

kms:ViaService

GetParametersForImport Grants permission to get data that is required to import cryptographic material into a customer managed key, including a public key and import token. Read

key*

kms:CallerAccount

kms:ViaService

kms:WrappingAlgorithm

kms:WrappingKeySpec

ImportKeyMaterial Grants permission to import cryptographic material into a customer master key. Write

key*

kms:CallerAccount

kms:ExpirationModel

kms:ValidTo

kms:ViaService

ListAliases Grants permission to view the aliases that are defined in the account. Aliases are optional display names that you can associate with customer master keys. List
ListGrants Grants permission to view all grants for a customer master key. List

key*

kms:CallerAccount

kms:ViaService

ListKeyPolicies Grants permission to view the names of key policies for a customer master key. List

key*

kms:CallerAccount

kms:ViaService

ListKeys Grants permission to view the key ID and Amazon Resource Name (ARN) of all customer master keys in the account. List
ListResourceTags Grants permission to view all tags that are attached to a customer master key. Read

key*

kms:CallerAccount

kms:ViaService

ListRetirableGrants Grants permission to view grants in which the specified principal is the retiring principal. Other principals might be able to retire the grant and this principal might be able to retire other grants. List

key*

PutKeyPolicy Grants permission to replace the key policy for the specified customer master key. Permissions management

key*

kms:BypassPolicyLockoutSafetyCheck

kms:CallerAccount

kms:ViaService

ReEncryptFrom Grants permission to decrypt data as part of the process that decrypts and reencrypts the data within AWS KMS. Write

key*

kms:CallerAccount

kms:EncryptionContextKeys

kms:ReEncryptOnSameKey

kms:ViaService

ReEncryptTo Grants permission to encrypt data as part of the process that decrypts and reencrypts the data within AWS KMS. Write

key*

kms:CallerAccount

kms:EncryptionContextKeys

kms:ReEncryptOnSameKey

kms:ViaService

RetireGrant Grants permission to retire a grant. The RetireGrant operation is typically called by the grant user after they complete the tasks that the grant allowed them to perform. Permissions management

key*

RevokeGrant Grants permission to revoke a grant, which denies permission for all operations that depend on the grant. Permissions management

key*

kms:CallerAccount

kms:ViaService

ScheduleKeyDeletion Grants permission to schedule deletion of a customer master key. Write

key*

kms:CallerAccount

kms:ViaService

TagResource Grants permission to create or update tags that are attached to a customer master key. Tagging

key*

kms:CallerAccount

kms:ViaService

UntagResource Grants permission to delete tags that are attached to a customer master key. Tagging

key*

kms:CallerAccount

kms:ViaService

UpdateAlias Grants permission to associate an alias with a different customer master key. Write

alias*

key*

kms:CallerAccount

kms:ViaService

UpdateKeyDescription Grants permission to delete or change the description of a customer master key. Write

key*

kms:CallerAccount

kms:ViaService

Resources Defined by KMS

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
alias arn:${Partition}:kms:${Region}:${Account}:alias/${Alias}
key arn:${Partition}:kms:${Region}:${Account}:key/${KeyId}

Condition Keys for AWS Key Management Service

AWS Key Management Service defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The Condition Keys Table.

To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference.

Condition Keys Description Type
kms:BypassPolicyLockoutSafetyCheck Controls access to the CreateKey and PutKeyPolicy operations based on the value of the BypassPolicyLockoutSafetyCheck parameter in the request. Bool
kms:CallerAccount Controls access to specified AWS KMS operations based on the AWS account ID of the caller. You can use this condition to allow or deny access to to all IAM users and roles in an AWS account in a single policy statement. String
kms:EncryptionContextKeys Controls access based on the presence of specified keys in the encryption context. The encryption context is an optional element in a cryptographic operation. String
kms:ExpirationModel Controls access to the ImportKeyMaterial operation based on the value of the ExpirationModel parameter in the request. String
kms:GrantConstraintType Controls access to the CreateGrant operation based on the grant constraint in the request. String
kms:GrantIsForAWSResource Controls access to the CreateGrant operation when the request comes from a specified AWS service. Bool
kms:GrantOperations Controls access to the CreateGrant operation based on the operations in the grant. String
kms:GranteePrincipal Controls access to the CreateGrant operation based on the grantee principal in the grant. String
kms:KeyOrigin Controls access to the CreateKey operation based on the value of the Origin parameter in the request. The Origin parameter determines whether AWS KMS generates cryptographic material for the key or imports it. String
kms:ReEncryptOnSameKey Controls access to the ReEncrypt operation when it uses the same customer master key that was used for the Encrypt operation. Bool
kms:RetiringPrincipal Controls access to the CreateGrant operation based on the retiring principal in the grant. String
kms:ValidTo Controls access to the ImportKeyMaterial operation based on the value of the ValidTo parameter in the request. You can use this condition key to allow users to import key material only when it expires by the specified date. Numeric
kms:ViaService Controls access when a request made on the principal's behalf comes from a specified AWS service. String
kms:WrappingAlgorithm Controls access to the GetParametersForImport operation based on the value of the WrappingAlgorithm parameter in the request. String
kms:WrappingKeySpec Controls access to the GetParametersForImport operation based on the value of the WrappingKeySpec parameter in the request. String