AWS KMS permissions - AWS Key Management Service

AWS KMS permissions

The Actions and Resources Table is designed to help you define access control in key policies and IAM policies.

Note

You might have to scroll horizontally or vertically to see all of the data in the table.

Actions and permissions Policy type Cross-account use Resources (for IAM policies) AWS KMS condition keys

CancelKeyDeletion

kms:CancelKeyDeletion

Key policy

No

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

ConnectCustomKeyStore

kms:ConnectCustomKeyStore

IAM policy No

*

kms:CallerAccount

CreateAlias

kms:CreateAlias

To use this operation, the caller needs kms:CreateAlias permission on two resources:

  • The alias (in an IAM policy)

  • The CMK (in a key policy)

For details, see Controlling access to aliases.

IAM policy (for the alias)

No

Alias

None (when controlling access to the alias)

Key policy (for the CMK)

No

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

CreateCustomKeyStore

kms:CreateCustomKeyStore

IAM policy No

*

kms:CallerAccount

CreateGrant

kms:CreateGrant

Key policy

Yes

CMK

Encryption context conditions:

kms:EncryptionContext:context-key

kms:EncryptionContextKeys

Grant conditions:

kms:GrantConstraintType

kms:GranteePrincipal

kms:GrantIsForAWSResource

kms:GrantOperations

kms:RetiringPrincipal

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

CreateKey

kms:CreateKey

IAM policy

No

*

kms:BypassPolicyLockoutSafetyCheck

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ViaService

Conditions for tagging:

aws:RequestTag/tag-key (AWS global condition key)

aws:ResourceTag/tag-key (AWS global condition key)

aws:TagKeys (AWS global condition key)

Decrypt

kms:Decrypt

Key policy

Yes

CMK

Conditions for cryptographic operations

kms:EncryptionAlgorithm

kms:RequestAlias

Encryption context conditions:

kms:EncryptionContext:context-key

kms:EncryptionContextKeys

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

DeleteAlias

kms:DeleteAlias

To use this operation, the caller needs kms:DeleteAlias permission on two resources:

  • The alias (in an IAM policy)

  • The CMK (in a key policy)

For details, see Controlling access to aliases.

IAM policy (for the alias)

No

Alias

None (when controlling access to the alias)

Key policy (for the CMK)

No

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

DeleteCustomKeyStore

kms:DeleteCustomKeyStore

IAM policy No

*

kms:CallerAccount

DeleteImportedKeyMaterial

kms:DeleteImportedKeyMaterial

Key policy

No

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

DescribeCustomKeyStores

kms:DescribeCustomKeyStores

IAM policy No

*

kms:CallerAccount

DescribeKey

kms:DescribeKey

Key policy

Yes

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

Other conditions:

kms:RequestAlias

DisableKey

kms:DisableKey

Key policy

No

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

DisableKeyRotation

kms:DisableKeyRotation

Key policy

No

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

DisconnectCustomKeyStore

kms:DisconnectCustomKeyStore

IAM policy No

*

kms:CallerAccount

EnableKey

kms:EnableKey

Key policy

No

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

EnableKeyRotation

kms:EnableKeyRotation

Key policy

No

CMK (symmetric only)

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

Encrypt

kms:Encrypt

Key policy

Yes

CMK

Conditions for cryptographic operations

kms:EncryptionAlgorithm

kms:RequestAlias

Encryption context conditions:

kms:EncryptionContext:context-key

kms:EncryptionContextKeys

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

GenerateDataKey

kms:GenerateDataKey

Key policy

Yes

CMK (symmetric only)

Conditions for cryptographic operations

kms:EncryptionAlgorithm

kms:RequestAlias

Encryption context conditions:

kms:EncryptionContext:context-key

kms:EncryptionContextKeys

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

GenerateDataKeyPair

kms:GenerateDataKeyPair

Key policy

Yes

CMK (symmetric only)

GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext generate an asymmetric data key pair that is protected by a symmetric CMK.

Conditions for data key pairs:

kms:DataKeyPairSpec

Conditions for cryptographic operations

kms:EncryptionAlgorithm

kms:RequestAlias

Encryption context conditions:

kms:EncryptionContext:context-key

kms:EncryptionContextKeys

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

GenerateDataKeyPairWithoutPlaintext

kms:GenerateDataKeyPairWithoutPlaintext

Key policy

Yes

CMK (symmetric only)

GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext generate an asymmetric data key pair that is protected by a symmetric CMK.

Conditions for data key pairs:

kms:DataKeyPairSpec

Conditions for cryptographic operations

kms:EncryptionAlgorithm

kms:RequestAlias

Encryption context conditions:

kms:EncryptionContext:context-key

kms:EncryptionContextKeys

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

GenerateDataKeyWithoutPlaintext

kms:GenerateDataKeyWithoutPlaintext

Key policy

Yes

CMK (symmetric only)

Conditions for cryptographic operations

kms:EncryptionAlgorithm

kms:RequestAlias

Encryption context conditions:

kms:EncryptionContext:context-key

kms:EncryptionContextKeys

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

GenerateRandom

kms:GenerateRandom

IAM policy

N/A

*

None

GetKeyPolicy

kms:GetKeyPolicy

Key policy

No

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

GetKeyRotationStatus

kms:GetKeyRotationStatus

Key policy

Yes

CMK (symmetric only)

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

GetParametersForImport

kms:GetParametersForImport

Key policy

No

CMK (symmetric only)

kms:WrappingAlgorithm

kms:WrappingKeySpec

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

GetPublicKey

kms:GetPublicKey

Key policy

Yes

CMK (asymmetric only)

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

Other conditions:

kms:RequestAlias

ImportKeyMaterial

kms:ImportKeyMaterial

Key policy

No

CMK (symmetric only)

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

Other conditions:

kms:ExpirationModel

kms:ValidTo

ListAliases

kms:ListAliases

IAM policy

No

*

None

ListGrants

kms:ListGrants

Key policy

Yes

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

Other conditions:

kms:GrantIsForAWSResource

ListKeyPolicies

kms:ListKeyPolicies

Key policy

No

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

ListKeys

kms:ListKeys

IAM policy

No

*

None

ListResourceTags

kms:ListResourceTags

Key policy

No

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

ListRetirableGrants

kms:ListRetirableGrants

IAM policy

The specified principal must be in the local account, but the operation returns grants in all accounts.

*

None

PutKeyPolicy

kms:PutKeyPolicy

Key policy

No

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

Other conditions:

kms:BypassPolicyLockoutSafetyCheck

ReEncrypt

kms:ReEncryptFrom

kms:ReEncryptTo

To use this operation, the caller needs permission on two CMKs:

  • kms:ReEncryptFrom on the CMK used to decrypt

  • kms:ReEncryptTo on the CMK used to encrypt

Key policy

Yes

CMK

Conditions for cryptographic operations

kms:EncryptionAlgorithm

kms:RequestAlias

Encryption context conditions:

kms:EncryptionContext:context-key

kms:EncryptionContextKeys

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

Other conditions:

kms:ReEncryptOnSameKey

ReplicateKey

kms:ReplicateKey

To use this operation, the caller needs the following permissions:

  • kms:ReplicateKey on the multi-Region primary key

  • kms:CreateKey in an IAM policy in the replica Region

Key policy

No

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

Other conditions:

kms:ReplicaRegion

RetireGrant

kms:RetireGrant

Permission to retire a grant is determined primarily by the grant. A policy alone cannot allow access to this operation. For more information, see Retiring and revoking grants.

IAM policy

(This permission is not effective in a key policy.)

Yes

CMK

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

RevokeGrant

kms:RevokeGrant

Key policy

Yes

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

Other conditions:

kms:GrantIsForAWSResource

ScheduleKeyDeletion

kms:ScheduleKeyDeletion

Key policy

No

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

Sign

kms:Sign

Key policy

Yes

CMK (asymmetric only)

Conditions for signing and verification:

kms:MessageType

kms:RequestAlias

kms:SigningAlgorithm

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

TagResource

kms:TagResource

Key policy

No

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

Conditions for tagging:

aws:RequestTag/tag-key (AWS global condition key)

aws:TagKeys (AWS global condition key)

UntagResource

kms:UntagResource

Key policy

No

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

Conditions for tagging:

aws:RequestTag/tag-key (AWS global condition key)

aws:TagKeys (AWS global condition key)

UpdateAlias

kms:UpdateAlias

To use this operation, the caller needs kms:UpdateAlias permission on three resources:

  • The alias

  • The currently associated CMK

  • The newly associated CMK

For details, see Controlling access to aliases.

IAM policy (for the alias)

No

Alias

None (when controlling access to the alias)

Key policy (for the CMKs)

No

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

UpdateCustomKeyStore

kms:UpdateCustomKeyStore

IAM policy No

*

kms:CallerAccount

UpdateKeyDescription

kms:UpdateKeyDescription

Key policy

No

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

UpdatePrimaryRegion

kms:UpdatePrimaryRegion

To use this operation, the caller needs kms:UpdatePrimaryRegion permission on both the multi-Region primary key that will become a replica key and the multi-Region replica key that will become the primary key.

Key policy

No

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

Other conditions

kms:PrimaryRegion

Verify

kms:Verify

Key policy

Yes

CMK (asymmetric only)

Conditions for signing and verification:

kms:MessageType

kms:RequestAlias

kms:SigningAlgorithm

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

The columns in this table provide the following information:

  • Actions and permissions lists each AWS KMS API operation and the permission that allows the operation. You specify the operation in Action element of a policy statement.

  • Policy type indicates whether the permission can be used in a key policy or IAM policy.

    Key policy means that you can specify the permission in the key policy. When the key policy contains the policy statement that enables IAM policies, you can specify the permission in an IAM policy.

    IAM policy means that you can specify the permission only in an IAM policy.

  • Cross-account use shows the operations that authorized users can perform on resources in a different AWS account.

    A value of Yes means that principals can perform the operation on resources in a different AWS account.

    A value of No means that principals can perform the operation only on resources in their own AWS account.

    If you give a principal in a different account a permission that can't be used on a cross-account resource, the permission is not effective. For example, if you give a principal in a different account kms:TagResource permission to a CMK in your account, their attempts to tag the CMK in your account will fail.

  • Resources lists the AWS KMS resources to which the permissions apply. AWS KMS supports two resource types: a customer master key (CMK) and an alias. In a key policy, the value of the Resource element is always *, which indicates the CMK to which the key policy is attached.

    Use the following values to represent an AWS KMS resource in an IAM policy.

    CMK

    When the resource is a customer master key (CMK), use its key ARN. For help, see Finding the key ID and ARN.

    arn:AWS_partition_name:kms:AWS_Region:AWS_account_ID:key/key_ID

    For example:

    arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

    Alias

    When the resource is an alias, use its alias ARN. For help, see Finding the alias name and alias ARN.

    arn:AWS_partition_name:kms:AWS_region:AWS_account_ID:alias/alias_name

    For example:

    arn:aws:kms:us-west-2:111122223333:alias/ExampleAlias

    * (asterisk)

    When the permission doesn't apply to a particular resource (CMK or alias), use an asterisk (*).

    In an IAM policy for an AWS KMS permission, an asterisk in the Resource element indicates all AWS KMS resources (CMKs and aliases). You can also use an asterisk in the Resource element when the AWS KMS permission doesn't apply to any particular CMKs or aliases. For example, when allowing or denying kms:CreateKey or kms:ListKeys permission, you can set the Resource element to * or to an account-specific variation, such as arn:AWS_partition_name:kms:AWS_region:AWS_account_ID:*.

  • AWS KMS condition keys lists the AWS KMS condition keys that you can use to control access to the operation. You specify conditions in a policy's Condition element. For more information, see AWS KMS condition keys. This column also includes AWS global condition keys that are supported by AWS KMS, but not by all AWS services.