AWS KMS permissions - AWS Key Management Service

AWS KMS permissions

The AWS KMS permissions table lists the permissions for each AWS KMS operation so you can use them correctly in key policies and IAM policies.

Important

Be cautious when giving principals permission to create and manage the policies and grants that control access to your customer master keys (CMKs). Principals who have permission to manage tags and aliases can also control access to a CMK. For details, see Using ABAC for AWS KMS.

Note

You might need to scroll horizontally and vertically to see all of the data in this table.

Actions and permissions Policy type Resources (for IAM policies) AWS KMS condition keys

CancelKeyDeletion

kms:CancelKeyDeletion

Key policy

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

ConnectCustomKeyStore

kms:ConnectCustomKeyStore

IAM policy

*

kms:CallerAccount

CreateAlias

kms:CreateAlias

To use this operation, the caller needs kms:CreateAlias permission on two resources:

  • The alias (in an IAM policy)

  • The CMK (in a key policy)

For details, see Controlling access to aliases.

IAM policy (for the alias)

Alias

None (when controlling access to the alias)

Key policy (for the CMK)

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

CreateCustomKeyStore

kms:CreateCustomKeyStore

IAM policy

*

kms:CallerAccount

CreateGrant

kms:CreateGrant

Key policy

CMK

Encryption context conditions:

kms:EncryptionContext:context-key

kms:EncryptionContextKeys

Grant conditions:

kms:GrantConstraintType

kms:GranteePrincipal

kms:GrantIsForAWSResource

kms:GrantOperations

kms:RetiringPrincipal

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

CreateKey

kms:CreateKey

IAM policy

*

kms:BypassPolicyLockoutSafetyCheck

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

aws:RequestTag/tag-key (AWS global condition key)

Decrypt

kms:Decrypt

Key policy

CMK

Conditions for cryptographic operations

kms:EncryptionAlgorithm

kms:RequestAlias

Encryption context conditions:

kms:EncryptionContext:context-key

kms:EncryptionContextKeys

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

DeleteAlias

kms:DeleteAlias

To use this operation, the caller needs kms:DeleteAlias permission on two resources:

  • The alias (in an IAM policy)

  • The CMK (in a key policy)

For details, see Controlling access to aliases.

IAM policy (for the alias)

Alias

None (when controlling access to the alias)

Key policy (for the CMK)

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

DeleteCustomKeyStore

kms:DeleteCustomKeyStore

IAM policy

*

kms:CallerAccount

DeleteImportedKeyMaterial

kms:DeleteImportedKeyMaterial

Key policy

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

DescribeCustomKeyStores

kms:DescribeCustomKeyStores

IAM policy

*

kms:CallerAccount

DescribeKey

kms:DescribeKey

Key policy

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

Other conditions:

kms:RequestAlias

DisableKey

kms:DisableKey

Key policy

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

DisableKeyRotation

kms:DisableKeyRotation

Key policy

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

DisconnectCustomKeyStore

kms:DisconnectCustomKeyStore

IAM policy

*

kms:CallerAccount

EnableKey

kms:EnableKey

Key policy

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

EnableKeyRotation

kms:EnableKeyRotation

Key policy

CMK (symmetric only)

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

Encrypt

kms:Encrypt

Key policy

CMK

Conditions for cryptographic operations

kms:EncryptionAlgorithm

kms:RequestAlias

Encryption context conditions:

kms:EncryptionContext:context-key

kms:EncryptionContextKeys

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

GenerateDataKey

kms:GenerateDataKey

Key policy

CMK (symmetric only)

Conditions for cryptographic operations

kms:EncryptionAlgorithm

kms:RequestAlias

Encryption context conditions:

kms:EncryptionContext:context-key

kms:EncryptionContextKeys

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

GenerateDataKeyPair

kms:GenerateDataKeyPair

Key policy

CMK (symmetric only)

GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext generate an asymmetric data key pair that is protected by a symmetric CMK.

Conditions for data key pairs:

kms:DataKeyPairSpec

Conditions for cryptographic operations

kms:EncryptionAlgorithm

kms:RequestAlias

Encryption context conditions:

kms:EncryptionContext:context-key

kms:EncryptionContextKeys

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

GenerateDataKeyPairWithoutPlaintext

kms:GenerateDataKeyPairWithoutPlaintext

Key policy

CMK (symmetric only)

GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext generate an asymmetric data key pair that is protected by a symmetric CMK.

Conditions for data key pairs:

kms:DataKeyPairSpec

Conditions for cryptographic operations

kms:EncryptionAlgorithm

kms:RequestAlias

Encryption context conditions:

kms:EncryptionContext:context-key

kms:EncryptionContextKeys

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

GenerateDataKeyWithoutPlaintext

kms:GenerateDataKeyWithoutPlaintext

Key policy

CMK (symmetric only)

Conditions for cryptographic operations

kms:EncryptionAlgorithm

kms:RequestAlias

Encryption context conditions:

kms:EncryptionContext:context-key

kms:EncryptionContextKeys

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

GenerateRandom

kms:GenerateRandom

IAM policy

*

None

GetKeyPolicy

kms:GetKeyPolicy

Key policy

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

GetKeyRotationStatus

kms:GetKeyRotationStatus

Key policy

CMK (symmetric only)

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

GetParametersForImport

kms:GetParametersForImport

Key policy

CMK (symmetric only)

kms:WrappingAlgorithm

kms:WrappingKeySpec

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

GetPublicKey

kms:GetPublicKey

Key policy

CMK (asymmetric only)

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

Other conditions:

kms:RequestAlias

ImportKeyMaterial

kms:ImportKeyMaterial

Key policy

CMK (symmetric only)

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

Other conditions:

kms:ExpirationModel

kms:ValidTo

ListAliases

kms:ListAliases

IAM policy

*

None

ListGrants

kms:ListGrants

Key policy

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

Other conditions:

kms:GrantIsForAWSResource

ListKeyPolicies

kms:ListKeyPolicies

Key policy

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

ListKeys

kms:ListKeys

IAM policy

*

None

ListResourceTags

kms:ListResourceTags

Key policy

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

ListRetirableGrants

kms:ListRetirableGrants

IAM policy

*

None

PutKeyPolicy

kms:PutKeyPolicy

Key policy

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

Other conditions:

kms:BypassPolicyLockoutSafetyCheck

ReEncrypt

kms:ReEncryptFrom

kms:ReEncryptTo

To use this operation, the caller needs permission on two CMKs:

  • kms:ReEncryptFrom on the CMK used to decrypt

  • kms:ReEncryptTo on the CMK used to encrypt

Key policy

CMK

Conditions for cryptographic operations

kms:EncryptionAlgorithm

kms:RequestAlias

Encryption context conditions:

kms:EncryptionContext:context-key

kms:EncryptionContextKeys

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

Other conditions:

kms:ReEncryptOnSameKey

RetireGrant

kms:RetireGrant

Permission to retire a grant is determined primarily by the grant. A policy alone cannot allow access to this operation. For more information, see Retiring and revoking grants.

Key policy

CMK

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

RevokeGrant

kms:RevokeGrant

Key policy

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

Other conditions:

kms:GrantIsForAWSResource

ScheduleKeyDeletion

kms:ScheduleKeyDeletion

Key policy

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

Sign

kms:Sign

Key policy

CMK (asymmetric only)

Conditions for signing and verification:

kms:MessageType

kms:SigningAlgorithm

Conditions for cryptographic operations

kms:EncryptionAlgorithm

kms:RequestAlias

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

TagResource

kms:TagResource

Key policy

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

Conditions for tagging:

aws:RequestTag/tag-key (AWS global condition key)

aws:TagKeys (AWS global condition key)

UntagResource

kms:UntagResource

Key policy

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

Conditions for tagging:

aws:RequestTag/tag-key (AWS global condition key)

aws:TagKeys (AWS global condition key)

UpdateAlias

kms:UpdateAlias

To use this operation, the caller needs kms:UpdateAlias permission on three resources:

  • The alias

  • The currently associated CMK

  • The newly associated CMK

For details, see Controlling access to aliases.

IAM policy (for the alias)

Alias

None (when controlling access to the alias)

Key policy (for the CMKs)

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

UpdateCustomKeyStore

kms:UpdateCustomKeyStore

IAM policy

*

kms:CallerAccount

UpdateKeyDescription

kms:UpdateKeyDescription

Key policy

CMK

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

Verify

kms:Verify

Key policy

CMK (asymmetric only)

Conditions for signing and verification:

kms:MessageType

kms:SigningAlgorithm

Conditions for cryptographic operations

kms:EncryptionAlgorithm

kms:RequestAlias

Conditions for CMK operations:

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

The columns in this table provide the following information:

  • Actions and permissions lists each AWS KMS API operation and the permission that allows the operation. You specify the operation in Action element of a policy statement.

  • Policy type indicates whether the permission can be used in a key policy or IAM policy.

    Key policy means that you can specify the permission in the key policy. When the key policy contains the policy statement that enables IAM policies, you can specify the permission in an IAM policy.

    IAM policy means that you can specify the permission only in an IAM policy.

  • Resources lists the AWS KMS resources to which the permissions apply. AWS KMS supports two resource types: a customer master key (CMK) and an alias. In a key policy, the value of the Resource element is always *, which indicates the CMK to which the key policy is attached.

    Use the following values to represent an AWS KMS resource in an IAM policy.

    CMK

    When the resource is a customer master key (CMK), use its key ARN. For help, see Finding the key ID and ARN.

    arn:AWS_partition_name:kms:AWS_Region:AWS_account_ID:key/key_ID

    For example:

    arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

    Alias

    When the resource is an alias, use its alias ARN. For help, see Finding the alias name and alias ARN.

    arn:AWS_partition_name:kms:AWS_region:AWS_account_ID:alias/alias_name

    For example:

    arn:aws:kms:us-west-2:111122223333:alias/ExampleAlias

    * (asterisk)

    When the permission doesn't apply to a particular resource (CMK or alias), use an asterisk (*).

    In an IAM policy for an AWS KMS permission, an asterisk in the Resource element indicates all AWS KMS resources (CMKs and aliases). You can also use an asterisk in the Resource element when the AWS KMS permission doesn't apply to any particular CMKs or aliases. For example, when allowing or denying kms:CreateKey or kms:ListKeys permission, you can set the Resource element to * or to an account-specific variation, such as arn:AWS_partition_name:kms:AWS_region:AWS_account_ID:*.

  • AWS KMS condition keys lists the AWS KMS condition keys that you can use to limit a permission. You specify conditions in a policy's Condition element. This column also includes AWS global condition keys that are supported by AWS KMS, but not by all AWS services.