Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Change a key policy

Focus mode
Change a key policy - AWS Key Management Service

You can change the key policy for a KMS key in your AWS account by using the AWS Management Console or the PutKeyPolicy operation. You cannot use these techniques to change the key policy of a KMS key in a different AWS account.

When changing a key policy, keep in mind the following rules:

  • You can view the key policy for an AWS managed key or a customer managed key, but you can only change the key policy for a customer managed key. The policies of AWS managed keys are created and managed by the AWS service that created the KMS key in your account. You cannot view or change the key policy for an AWS owned key.

  • You can add or remove IAM users, IAM roles, and AWS accounts in the key policy, and change the actions that are allowed or denied for those principals. For more information about the ways to specify principals and permissions in a key policy, see Key policies.

  • You cannot add IAM groups to a key policy, but you can add multiple IAM users and IAM roles. For more information, see Allowing multiple IAM principals to access a KMS key.

  • If you add external AWS accounts to a key policy, you must also use IAM policies in the external accounts to give permissions to IAM users, groups, or roles in those accounts. For more information, see Allowing users in other accounts to use a KMS key.

  • The resulting key policy document cannot exceed 32 KB (32,768 bytes).

How to change a key policy

You can change a key policy in three different ways as explained in the following sections.

Using the AWS Management Console default view

You can use the console to change a key policy with a graphical interface called the default view.

If the following steps don't match what you see in the console, it might mean that this key policy was not created by the console. Or it might mean that the key policy has been modified in a way that the console's default view does not support. In that case, follow the steps at Using the AWS Management Console policy view or Using the AWS KMS API.

  1. View the key policy for a customer managed key as described in Using the AWS KMS console. (You cannot change the key policies of AWS managed keys.)

  2. Decide what to change.

    • To add or remove key administrators, and to allow or prevent key administrators from deleting the KMS key, use the controls in the Key administrators section of the page. Key administrators manage the KMS key, including enabling and disabling it, setting key policy, and enabling key rotation.

    • To add or remove key users, and to allow or disallow external AWS accounts to use the KMS key, use the controls in the Key users section of the page. Key users can use the KMS key in cryptographic operations, such as encrypting, decrypting, re-encrypting, and generating data keys.

Using the AWS Management Console policy view

You can use the console to change a key policy document with the console's policy view.

  1. View the key policy for a customer managed key as described in Using the AWS KMS console. (You cannot change the key policies of AWS managed keys.)

  2. In the Key Policy section, choose Switch to policy view.

  3. Choose Edit.

  4. Decide what to change.

    • To add a new statement, choose Add new statement. Then, you can select the actions, principals, and conditions for your new key policy statement from the options listed in the statement builder panel, or manually enter the policy statement elements.

    • To remove a statement from your key policy, select the statement and then choose Remove. Review the selected policy statement and confirm that you want to remove it. If you decide that you do not want to proceed with removing the statement, choose Cancel.

    • To edit an existing key policy statement, select the statement. Then, you can use the statement builder panel to choose specific elements that you want to modify, or manually edit the statement.

  5. Choose Save changes.

Using the AWS KMS API

You can use the PutKeyPolicy operation to change the key policy of a KMS key in your AWS account. You cannot use this API on a KMS key in a different AWS account.

  1. Use the GetKeyPolicy operation to get the existing key policy document, and then save the key policy document to a file. For sample code in multiple programming languages, see Use GetKeyPolicy with an AWS SDK or CLI.

  2. Open the key policy document in your preferred text editor, edit the key policy document, and then save the file.

  3. Use the PutKeyPolicy operation to apply the updated key policy document to the KMS key. For sample code in multiple programming languages, see Use PutKeyPolicy with an AWS SDK or CLI.

For an example of copying a key policy from one KMS key to another, see the GetKeyPolicy example in the AWS CLI Command Reference.

On this page

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.