Actions, resources, and condition keys for AWS Key Management Service
AWS Key Management Service (service prefix: kms) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by AWS Key Management Service
You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.
The Access level column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see Access levels in policy summaries.
The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.
The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.
The Dependent actions column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.
Note
Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.
For details about the columns in the following table, see Actions table.
Resource types defined by AWS Key Management Service
The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see Resource types table.
Condition keys for AWS Key Management Service
AWS Key Management Service defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.
To view the global condition keys that are available to all services, see AWS global condition context keys.
| Condition keys | Description | Type |
|---|---|---|
| aws:RequestTag/${TagKey} | Filters access to the specified AWS KMS operations based on both the key and value of the tag in the request | String |
| aws:ResourceTag/${TagKey} | Filters access to the specified AWS KMS operations based on tags assigned to the AWS KMS key | String |
| aws:TagKeys | Filters access to the specified AWS KMS operations based on tag keys in the request | ArrayOfString |
| kms:BypassPolicyLockoutSafetyCheck | Filters access to the CreateKey and PutKeyPolicy operations based on the value of the BypassPolicyLockoutSafetyCheck parameter in the request | Bool |
| kms:CallerAccount | Filters access to specified AWS KMS operations based on the AWS account ID of the caller. You can use this condition key to allow or deny access to all IAM users and roles in an AWS account in a single policy statement | String |
| kms:CustomerMasterKeySpec | The kms:CustomerMasterKeySpec condition key is deprecated. Instead, use the kms:KeySpec condition key | String |
| kms:CustomerMasterKeyUsage | The kms:CustomerMasterKeyUsage condition key is deprecated. Instead, use the kms:KeyUsage condition key | String |
| kms:DataKeyPairSpec | Filters access to GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext operations based on the value of the KeyPairSpec parameter in the request | String |
| kms:EncryptionAlgorithm | Filters access to encryption operations based on the value of the encryption algorithm in the request | String |
| kms:EncryptionContext:${EncryptionContextKey} | Filters access to a symmetric AWS KMS key based on the encryption context in a cryptographic operation. This condition evaluates the key and value in each key-value encryption context pair | String |
| kms:EncryptionContextKeys | Filters access to a symmetric AWS KMS key based on the encryption context in a cryptographic operation. This condition key evaluates only the key in each key-value encryption context pair | ArrayOfString |
| kms:ExpirationModel | Filters access to the ImportKeyMaterial operation based on the value of the ExpirationModel parameter in the request | String |
| kms:GrantConstraintType | Filters access to the CreateGrant operation based on the grant constraint in the request | String |
| kms:GrantIsForAWSResource | Filters access to the CreateGrant operation when the request comes from a specified AWS service | Bool |
| kms:GrantOperations | Filters access to the CreateGrant operation based on the operations in the grant | ArrayOfString |
| kms:GranteePrincipal | Filters access to the CreateGrant operation based on the grantee principal in the grant | String |
| kms:KeyAgreementAlgorithm | Filters access to the DeriveSharedSecret operation based on the value of the KeyAgreementAlgorithm parameter in the request | String |
| kms:KeyOrigin | Filters access to an API operation based on the Origin property of the AWS KMS key created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a KMS key | String |
| kms:KeySpec | Filters access to an API operation based on the KeySpec property of the AWS KMS key that is created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a KMS key resource | String |
| kms:KeyUsage | Filters access to an API operation based on the KeyUsage property of the AWS KMS key created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a KMS key resource | String |
| kms:MacAlgorithm | Filters access to the GenerateMac and VerifyMac operations based on the MacAlgorithm parameter in the request | String |
| kms:MessageType | Filters access to the Sign and Verify operations based on the value of the MessageType parameter in the request | String |
| kms:MultiRegion | Filters access to an API operation based on the MultiRegion property of the AWS KMS key created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a KMS key resource | Bool |
| kms:MultiRegionKeyType | Filters access to an API operation based on the MultiRegionKeyType property of the AWS KMS key created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a KMS key resource | String |
| kms:PrimaryRegion | Filters access to the UpdatePrimaryRegion operation based on the value of the PrimaryRegion parameter in the request | String |
| kms:ReEncryptOnSameKey | Filters access to the ReEncrypt operation when it uses the same AWS KMS key that was used for the Encrypt operation | Bool |
| kms:RecipientAttestation:ImageSha384 | Filters access to the API operations based on the image hash in the attestation document in the request | String |
| kms:RecipientAttestation:NitroTPMPCR0 | Filters access by the platform configuration register (PCR) 0 in the attestation document in the request. PCR0 is a contiguous measure of core system firmware executable code | String |
| kms:RecipientAttestation:NitroTPMPCR1 | Filters access by the platform configuration register (PCR) 1 in the attestation document in the request. PCR1 is a contiguous measure of core system firmware data/host platform configuration, typically including serial and model numbers | String |
| kms:RecipientAttestation:NitroTPMPCR10 | Filters access by the platform configuration register (PCR) 10 in the attestation document in the request. PCR10 is a contiguous measure of protection of the IMA measurement log | String |
| kms:RecipientAttestation:NitroTPMPCR11 | Filters access by the platform configuration register (PCR) 11 in the attestation document in the request. PCR11 is a contiguous measure of all components of unified kernel images (UKIs) | String |
| kms:RecipientAttestation:NitroTPMPCR12 | Filters access by the platform configuration register (PCR) 12 in the attestation document in the request. PCR12 is a contiguous measure of kernel command line, system credentials and system configuration images | String |
| kms:RecipientAttestation:NitroTPMPCR13 | Filters access by the platform configuration register (PCR) 13 in the attestation document in the request. PCR13 is a contiguous measure of all system extension images for the initrd | String |
| kms:RecipientAttestation:NitroTPMPCR14 | Filters access by the platform configuration register (PCR) 14 in the attestation document in the request. PCR14 is a contiguous measure of "MOK" certificates and hashes | String |
| kms:RecipientAttestation:NitroTPMPCR15 | Filters access by the platform configuration register (PCR) 15 in the attestation document in the request. PCR15 is a contiguous measure of root file system volume encryption key | String |
| kms:RecipientAttestation:NitroTPMPCR16 | Filters access by the platform configuration register (PCR) 16 in the attestation document in the request. PCR16 is a custom PCR that can be defined by the user for specific use cases | String |
| kms:RecipientAttestation:NitroTPMPCR17 | Filters access by the platform configuration register (PCR) 17 in the attestation document in the request. PCR17 is a custom PCR that can be defined by the user for specific use cases | String |
| kms:RecipientAttestation:NitroTPMPCR18 | Filters access by the platform configuration register (PCR) 18 in the attestation document in the request. PCR18 is a custom PCR that can be defined by the user for specific use cases | String |
| kms:RecipientAttestation:NitroTPMPCR19 | Filters access by the platform configuration register (PCR) 19 in the attestation document in the request. PCR19 is a custom PCR that can be defined by the user for specific use cases | String |
| kms:RecipientAttestation:NitroTPMPCR2 | Filters access by the platform configuration register (PCR) 2 in the attestation document in the request. PCR2 is a contiguous measure of extended or pluggable executable code, including option ROMs on pluggable hardware | String |
| kms:RecipientAttestation:NitroTPMPCR20 | Filters access by the platform configuration register (PCR) 20 in the attestation document in the request. PCR20 is a custom PCR that can be defined by the user for specific use cases | String |
| kms:RecipientAttestation:NitroTPMPCR21 | Filters access by the platform configuration register (PCR) 21 in the attestation document in the request. PCR21 is a custom PCR that can be defined by the user for specific use cases | String |
| kms:RecipientAttestation:NitroTPMPCR22 | Filters access by the platform configuration register (PCR) 22 in the attestation document in the request. PCR22 is a custom PCR that can be defined by the user for specific use cases | String |
| kms:RecipientAttestation:NitroTPMPCR23 | Filters access by the platform configuration register (PCR) 23 in the attestation document in the request. PCR23 is a custom PCR that can be defined by the user for specific use cases | String |
| kms:RecipientAttestation:NitroTPMPCR3 | Filters access by the platform configuration register (PCR) 3 in the attestation document in the request. PCR3 is a contiguous measure of extended or pluggable firmware data, including information about pluggable hardware | String |
| kms:RecipientAttestation:NitroTPMPCR4 | Filters access by the platform configuration register (PCR) 4 in the attestation document in the request. PCR4 is a contiguous measure of boot loader and additional drivers, including binaries and extensions loaded by the boot loader | String |
| kms:RecipientAttestation:NitroTPMPCR5 | Filters access by the platform configuration register (PCR) 5 in the attestation document in the request. PCR5 is a contiguous measure of GPT/Partition table | String |
| kms:RecipientAttestation:NitroTPMPCR6 | Filters access by the platform configuration register (PCR) 6 in the attestation document in the request. PCR6 is a custom PCR that can be defined by the user for specific use cases | String |
| kms:RecipientAttestation:NitroTPMPCR7 | Filters access by the platform configuration register (PCR) 7 in the attestation document in the request. PCR7 is a contiguous measure of SecureBoot state | String |
| kms:RecipientAttestation:NitroTPMPCR8 | Filters access by the platform configuration register (PCR) 8 in the attestation document in the request. PCR8 is a contiguous measure of commands and kernel command line | String |
| kms:RecipientAttestation:NitroTPMPCR9 | Filters access by the platform configuration register (PCR) 9 in the attestation document in the request. PCR9 is a contiguous measure of all files read (including kernel image) | String |
| kms:RecipientAttestation:PCR0 | Filters access by the platform configuration register (PCR) 0 in the attestation document in the request. PCR0 is a contiguous measure of the contents of the enclave image file, without the section data | String |
| kms:RecipientAttestation:PCR1 | Filters access by the platform configuration register (PCR) 1 in the attestation document in the request. PCR1 is a contiguous measurement of the Linux kernel and bootstrap data | String |
| kms:RecipientAttestation:PCR10 | Filters access by the platform configuration register (PCR) 10 in the attestation document in the request. PCR10 is a custom PCR that can be defined by the user for specific use cases | String |
| kms:RecipientAttestation:PCR11 | Filters access by the platform configuration register (PCR) 11 in the attestation document in the request. PCR11 is a custom PCR that can be defined by the user for specific use cases | String |
| kms:RecipientAttestation:PCR12 | Filters access by the platform configuration register (PCR) 12 in the attestation document in the request. PCR12 is a custom PCR that can be defined by the user for specific use cases | String |
| kms:RecipientAttestation:PCR13 | Filters access by the platform configuration register (PCR) 13 in the attestation document in the request. PCR13 is a custom PCR that can be defined by the user for specific use cases | String |
| kms:RecipientAttestation:PCR14 | Filters access by the platform configuration register (PCR) 14 in the attestation document in the request. PCR14 is a custom PCR that can be defined by the user for specific use cases | String |
| kms:RecipientAttestation:PCR15 | Filters access by the platform configuration register (PCR) 15 in the attestation document in the request. PCR15 is a custom PCR that can be defined by the user for specific use cases | String |
| kms:RecipientAttestation:PCR16 | Filters access by the platform configuration register (PCR) 16 in the attestation document in the request. PCR16 is a custom PCR that can be defined by the user for specific use cases | String |
| kms:RecipientAttestation:PCR17 | Filters access by the platform configuration register (PCR) 17 in the attestation document in the request. PCR17 is a custom PCR that can be defined by the user for specific use cases | String |
| kms:RecipientAttestation:PCR18 | Filters access by the platform configuration register (PCR) 18 in the attestation document in the request. PCR18 is a custom PCR that can be defined by the user for specific use cases | String |
| kms:RecipientAttestation:PCR19 | Filters access by the platform configuration register (PCR) 19 in the attestation document in the request. PCR19 is a custom PCR that can be defined by the user for specific use cases | String |
| kms:RecipientAttestation:PCR2 | Filters access by the platform configuration register (PCR) 2 in the attestation document in the request. PCR2 is a contiguous, in-order measurement of the user applications, without the boot ramfs | String |
| kms:RecipientAttestation:PCR20 | Filters access by the platform configuration register (PCR) 20 in the attestation document in the request. PCR20 is a custom PCR that can be defined by the user for specific use cases | String |
| kms:RecipientAttestation:PCR21 | Filters access by the platform configuration register (PCR) 21 in the attestation document in the request. PCR21 is a custom PCR that can be defined by the user for specific use cases | String |
| kms:RecipientAttestation:PCR22 | Filters access by the platform configuration register (PCR) 22 in the attestation document in the request. PCR22 is a custom PCR that can be defined by the user for specific use cases | String |
| kms:RecipientAttestation:PCR23 | Filters access by the platform configuration register (PCR) 23 in the attestation document in the request. PCR23 is a custom PCR that can be defined by the user for specific use cases | String |
| kms:RecipientAttestation:PCR24 | Filters access by the platform configuration register (PCR) 24 in the attestation document in the request. PCR24 is a custom PCR that can be defined by the user for specific use cases | String |
| kms:RecipientAttestation:PCR25 | Filters access by the platform configuration register (PCR) 25 in the attestation document in the request. PCR25 is a custom PCR that can be defined by the user for specific use cases | String |
| kms:RecipientAttestation:PCR26 | Filters access by the platform configuration register (PCR) 26 in the attestation document in the request. PCR26 is a custom PCR that can be defined by the user for specific use cases | String |
| kms:RecipientAttestation:PCR27 | Filters access by the platform configuration register (PCR) 27 in the attestation document in the request. PCR27 is a custom PCR that can be defined by the user for specific use cases | String |
| kms:RecipientAttestation:PCR28 | Filters access by the platform configuration register (PCR) 28 in the attestation document in the request. PCR28 is a custom PCR that can be defined by the user for specific use cases | String |
| kms:RecipientAttestation:PCR29 | Filters access by the platform configuration register (PCR) 29 in the attestation document in the request. PCR29 is a custom PCR that can be defined by the user for specific use cases | String |
| kms:RecipientAttestation:PCR3 | Filters access by the platform configuration register (PCR) 3 in the attestation document in the request. PCR3 is a contiguous measurement of the IAM role assigned to the parent instance | String |
| kms:RecipientAttestation:PCR30 | Filters access by the platform configuration register (PCR) 30 in the attestation document in the request. PCR30 is a custom PCR that can be defined by the user for specific use cases | String |
| kms:RecipientAttestation:PCR31 | Filters access by the platform configuration register (PCR) 31 in the attestation document in the request. PCR31 is a custom PCR that can be defined by the user for specific use cases | String |
| kms:RecipientAttestation:PCR4 | Filters access by the platform configuration register (PCR) 4 in the attestation document in the request. PCR4 is a contiguous measurement of the ID of the parent instance | String |
| kms:RecipientAttestation:PCR5 | Filters access by the platform configuration register (PCR) 5 in the attestation document in the request. PCR5 is a custom PCR that can be defined by the user for specific use cases | String |
| kms:RecipientAttestation:PCR6 | Filters access by the platform configuration register (PCR) 6 in the attestation document in the request. PCR6 is a custom PCR that can be defined by the user for specific use cases | String |
| kms:RecipientAttestation:PCR7 | Filters access by the platform configuration register (PCR) 7 in the attestation document in the request. PCR7 is a custom PCR that can be defined by the user for specific use cases | String |
| kms:RecipientAttestation:PCR8 | Filters access by the platform configuration register (PCR) 8 in the attestation document in the request. PCR8 is a measure of the signing certificate specified for the enclave image file | String |
| kms:RecipientAttestation:PCR9 | Filters access by the platform configuration register (PCR) 9 in the attestation document in the request. PCR9 is a custom PCR that can be defined by the user for specific use cases | String |
| kms:ReplicaRegion | Filters access to the ReplicateKey operation based on the value of the ReplicaRegion parameter in the request | String |
| kms:RequestAlias | Filters access to cryptographic operations, DescribeKey, and GetPublicKey based on the alias in the request | String |
| kms:ResourceAliases | Filters access to specified AWS KMS operations based on aliases associated with the AWS KMS key | ArrayOfString |
| kms:RetiringPrincipal | Filters access to the CreateGrant operation based on the retiring principal in the grant | String |
| kms:RotationPeriodInDays | Filters access to the EnableKeyRotation operation based on the value of the RotationPeriodInDays parameter in the request | Numeric |
| kms:ScheduleKeyDeletionPendingWindowInDays | Filters access to the ScheduleKeyDeletion operation based on the value of the PendingWindowInDays parameter in the request | Numeric |
| kms:SigningAlgorithm | Filters access to the Sign and Verify operations based on the signing algorithm in the request | String |
| kms:ValidTo | Filters access to the ImportKeyMaterial operation based on the value of the ValidTo parameter in the request. You can use this condition key to allow users to import key material only when it expires by the specified date | Date |
| kms:ViaService | Filters access when a request made on the principal's behalf comes from a specified AWS service | String |
| kms:WrappingAlgorithm | Filters access to the GetParametersForImport operation based on the value of the WrappingAlgorithm parameter in the request | String |
| kms:WrappingKeySpec | Filters access to the GetParametersForImport operation based on the value of the WrappingKeySpec parameter in the request | String |
