Determining access to AWS KMS keys

To determine the full extent of who or what currently has access to an AWS KMS key, you must examine the key policy of the KMS key, all grants that apply to the KMS key, and potentially all AWS Identity and Access Management (IAM) policies. You might do this to determine the scope of potential usage of a KMS key, or to help you meet compliance or auditing requirements. The following topics can help you generate a complete list of the AWS principals (identities) that currently have access to a KMS key.

Topics

Examining the key policy
Examining IAM policies
Examining grants
Troubleshooting key access

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Hybrid post-quantum TLS

Examining the key policy