AWS KMS API permissions: Actions and resources reference

The Actions and Resources Table is designed to help you define access control in key policies and IAM policies. The columns provide the following information:

API operations and actions (permissions) lists each AWS KMS API operation and the corresponding action (permission) that allows the operation. You specify actions in a policy's Action element.
Policy type indicates whether the permission can be used in a key policy or IAM policy. When the type is key policy, you can specify the permission explicitly in the key policy. Or, if the key policy contains the policy statement that enables IAM policies, you can specify the permission in an IAM policy. When the type is IAM policy, you can specify the permission only in an IAM policy.
Resources lists the AWS KMS resources to which the permissions apply. AWS KMS supports two resource types: a customer master key (CMK) and an alias. In a key policy, the value of the Resource element is always *, which indicates the CMK to which the key policy is attached.

Use the following values to represent an AWS KMS resource in an IAM policy.

CMK

When the resource is a customer master key (CMK), use its key ARN. For help, see Finding the key ID and ARN.

arn:AWS_partition_name:kms:AWS_Region:AWS_account_ID:key/key_ID

For example:

arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

Alias

When the resource is an alias, use its alias ARN. To get the alias ARN, use the ListAliases operation.

arn:AWS_partition_name:kms:AWS_region:AWS_account_ID:alias/alias_name

For example:

arn:aws:kms:us-west-2:111122223333:alias/ExampleAlias

* (asterisk)

When the permission doesn't apply to a particular resource (CMK or alias), use an asterisk (*).

In an IAM policy for an AWS KMS permission, an asterisk in the Resource element indicates all AWS KMS resources (CMKs and aliases). You can also use an asterisk in the Resource element when the AWS KMS permission doesn't apply to any particular CMKs or aliases. For example, when allowing or denying kms:CreateKey or kms:ListKeys permission, you can set the Resource element to * or to an account-specific variation, such as arn:AWS_partition_name:kms:AWS_region:AWS_account_ID:*.
AWS KMS condition keys lists the AWS KMS condition keys that you can use to control access to the operation. You specify conditions in a policy's Condition element. For more information, see AWS KMS condition keys. This column also includes AWS global condition keys that are supported by AWS KMS, but not by all AWS services.

AWS KMS API operations and permissions
API operations and actions (permissions)	Policy type	Resources (for IAM policies)	AWS KMS condition keys
CancelKeyDeletion `kms:CancelKeyDeletion`	Key policy	CMK	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:ViaService`
ConnectCustomKeyStore `kms:ConnectCustomKeyStore`	IAM policy	`*`	`kms:CallerAccount`
CreateAlias `kms:CreateAlias` To use this operation, the caller needs `kms:CreateAlias` permission on two resources: The alias (in an IAM policy) The CMK (in a key policy) For details, see Controlling access to aliases.	IAM policy (for the alias)	Alias	None (when controlling access to the alias)
	Key policy (for the CMK)	CMK	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:ViaService`
CreateCustomKeyStore `kms:CreateCustomKeyStore`	IAM policy	`*`	`kms:CallerAccount`
CreateGrant `kms:CreateGrant`	Key policy	CMK	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:EncryptionContext:` `kms:EncryptionContextKeys` `kms:GrantConstraintType` `kms:GranteePrincipal` `kms:GrantIsForAWSResource` `kms:GrantOperations` `kms:RetiringPrincipal` `kms:ViaService`
CreateKey `kms:CreateKey`	IAM policy	`*`	`kms:BypassPolicyLockoutSafetyCheck` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin`
Decrypt `kms:Decrypt`	Key policy	CMK	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:EncryptionAlgorithm` `kms:EncryptionContext:` `kms:EncryptionContextKeys` `kms:ViaService`
DeleteAlias `kms:DeleteAlias` To use this operation, the caller needs `kms:DeleteAlias` permission on two resources: The alias (in an IAM policy) The CMK (in a key policy) For details, see Controlling access to aliases.	IAM policy (for the alias)	Alias	None (when controlling access to the alias)
	Key policy (for the CMK)	CMK	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:ViaService`
DeleteCustomKeyStore `kms:DeleteCustomKeyStore`	IAM policy	`*`	`kms:CallerAccount`
DeleteImportedKeyMaterial `kms:DeleteImportedKeyMaterial`	Key policy	CMK	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:ViaService`
DescribeCustomKeyStores `kms:DescribeCustomKeyStores`	IAM policy	`*`	`kms:CallerAccount`
DescribeKey `kms:DescribeKey`	Key policy	CMK	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:ViaService`
DisableKey `kms:DisableKey`	Key policy	CMK	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:ViaService`
DisableKeyRotation `kms:DisableKeyRotation`	Key policy	CMK	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:ViaService`
DisconnectCustomKeyStore `kms:DisconnectCustomKeyStore`	IAM policy	`*`
EnableKey `kms:EnableKey`	Key policy	CMK	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:ViaService`
EnableKeyRotation `kms:EnableKeyRotation`	Key policy	CMK (symmetric only)	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:ViaService`
Encrypt `kms:Encrypt`	Key policy	CMK	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:EncryptionAlgorithm` `kms:EncryptionContext:` `kms:EncryptionContextKeys` `kms:ViaService`
GenerateDataKey `kms:GenerateDataKey`	Key policy	CMK (symmetric only)	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:EncryptionAlgorithm` `kms:EncryptionContext:` `kms:EncryptionContextKeys` `kms:ViaService`
GenerateDataKeyPair `kms:GenerateDataKeyPair`	Key policy	CMK (symmetric only) `GenerateDataKeyPair` and `GenerateDataKeyPairWithoutPlaintext` generate an asymmetric data key pair that is protected by a symmetric CMK.	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:DataKeyPairSpec` `kms:EncryptionAlgorithm` `kms:EncryptionContext:` `kms:EncryptionContextKeys` `kms:ViaService`
GenerateDataKeyPairWithoutPlaintext `kms:GenerateDataKeyPairWithoutPlaintext`	Key policy	CMK (symmetric only) `GenerateDataKeyPair` and `GenerateDataKeyPairWithoutPlaintext` generate an asymmetric data key pair that is protected by a symmetric CMK.	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:DataKeyPairSpec` `kms:EncryptionAlgorithm` `kms:EncryptionContext:` `kms:EncryptionContextKeys` `kms:ViaService`
GenerateDataKeyWithoutPlaintext `kms:GenerateDataKeyWithoutPlaintext`	Key policy	CMK (symmetric only)	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:EncryptionAlgorithm` `kms:EncryptionContext:` `kms:EncryptionContextKeys` `kms:ViaService`
GenerateRandom `kms:GenerateRandom`	IAM policy	`*`	None
GetKeyPolicy `kms:GetKeyPolicy`	Key policy	CMK	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:ViaService`
GetKeyRotationStatus `kms:GetKeyRotationStatus`	Key policy	CMK (symmetric only)	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:ViaService`
GetParametersForImport `kms:GetParametersForImport`	Key policy	CMK (symmetric only)	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:ViaService` `kms:WrappingAlgorithm` `kms:WrappingKeySpec`
GetPublicKey `kms:GetPublicKey`	Key policy	CMK (asymmetric only)	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:ViaService`
ImportKeyMaterial `kms:ImportKeyMaterial`	Key policy	CMK (symmetric only)	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:ExpirationModel` `kms:ValidTo` `kms:ViaService`
ListAliases `kms:ListAliases`	IAM policy	`*`	None
ListGrants `kms:ListGrants`	Key policy	CMK	`kms:CallerAccount` `kms:GrantIsForAWSResource` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:ViaService`
ListKeyPolicies `kms:ListKeyPolicies`	Key policy	CMK	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:ViaService`
ListKeys `kms:ListKeys`	IAM policy	`*`	None
ListResourceTags `kms:ListResourceTags`	Key policy	CMK	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:ViaService`
ListRetirableGrants `kms:ListRetirableGrants`	IAM policy	`*`	None
PutKeyPolicy `kms:PutKeyPolicy`	Key policy	CMK	`kms:BypassPolicyLockoutSafetyCheck` `kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:ViaService`
ReEncrypt `kms:ReEncryptFrom` `kms:ReEncryptTo` To use this operation, the caller needs permission on two CMKs: `kms:ReEncryptFrom` on the CMK used to decrypt `kms:ReEncryptTo` on the CMK used to encrypt	Key policy	CMK	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:EncryptionAlgorithm` `kms:EncryptionContext:` `kms:EncryptionContextKeys` `kms:ReEncryptOnSameKey` `kms:ViaService`
RetireGrant Permission to retire a grant is specified in the grant. You cannot control access to this operation in a policy. For more information, see RetireGrant in the AWS Key Management Service API Reference.	Not applicable	Not applicable	Not applicable
RevokeGrant `kms:RevokeGrant`	Key policy	CMK	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:GrantIsForAWSResource` `kms:ViaService`
ScheduleKeyDeletion `kms:ScheduleKeyDeletion`	Key policy	CMK	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:ViaService`
Sign `kms:Sign`	Key policy	CMK (asymmetric only)	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:MessageType` `kms:SigningAlgorithm` `kms:ViaService`
TagResource `kms:TagResource`	Key policy	CMK	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:ViaService` `aws:RequestTag` (AWS global condition key) `aws:TagKeys` (AWS global condition key)
UntagResource `kms:UntagResource`	Key policy	CMK	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:ViaService` `aws:RequestTag` (AWS global condition key) `aws:TagKeys` (AWS global condition key)
UpdateAlias `kms:UpdateAlias` To use this operation, the caller needs `kms:UpdateAlias` permission on three resources: The alias The currently associated CMK The newly associated CMK For details, see Controlling access to aliases.	IAM policy (for the alias)	Alias	None (when controlling access to the alias)
	Key policy (for the CMKs)	CMK	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:ViaService`
UpdateCustomKeyStore `kms:UpdateCustomKeyStore`	IAM policy	`*`	`kms:CallerAccount`
UpdateKeyDescription `kms:UpdateKeyDescription`	Key policy	CMK	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:ViaService`
Verify `kms:Verify`	Key policy	CMK (asymmetric only)	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:MessageType` `kms:SigningAlgorithm` `kms:ViaService`

Warning Javascript is disabled or is unavailable in your browser.

To use the AWS Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Allowing cross-account access to a CMK

Using policy conditions