Condition keys for AWS KMS - AWS Key Management Service

Condition keys for AWS KMS

You can specify conditions in the key policies and AWS Identity and Access Management policies (IAM policies) that control access to AWS KMS resources. The policy statement is effective only when the conditions are true. For example, you might want a policy statement to take effect only after a specific date. Or, you might want a policy statement to control access only when a specific value appears in an API request.

To specify conditions, you use condition keys in the Condition element of a policy statement with IAM condition operators. Some condition keys apply generally to AWS; others are specific to AWS KMS.

Note

Condition key values must adhere to the character and encoding rules for AWS KMS key policies and IAM policies. For details about key policy document rules, see Key policy format. For details about IAM policy document rules, see IAM name requirements in the IAM User Guide..