AWS KMS API permissions: Actions and resources reference

The Actions and Resources Table is designed to help you define access control in key policies and IAM policies. The columns provide the following information:

API operations and actions (permissions) lists each AWS KMS API operation and the corresponding action (permission) that allows the operation. You specify actions in a policy's Action element.
Policy type indicates whether the permission can be used in a key policy or IAM policy. When the type is key policy, you can specify the permission explicitly in the key policy. Or, if the key policy contains the policy statement that enables IAM policies, you can specify the permission in an IAM policy. When the type is IAM policy, you can specify the permission only in an IAM policy.
Resources lists the resources for which you can allow the operation. To specify a resource in an IAM policy, type the Amazon Resource Name (ARN) in the Resource element. Because a key policy applies only to the CMK that it is attached to, the value of its Resource element is always "*".

Each resource type is associated with an ARN that you use to represent the resource.

CMK ARNs

When the resource is a CMK, you represent it by using a CMK ARN.

arn:AWS_partition_name:AWS_Region:AWS_account_ID:key/CMK_key_ID

For example:

arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

Alias ARNs

When the resource is an alias, you represent it by using an alias ARN.

arn:AWS_partition_name:AWS_region:AWS_account_ID:alias/alias_name

For example:

arn:aws:kms:us-west-2:111122223333:alias/ExampleAlias
AWS KMS condition keys lists the AWS KMS condition keys that you can use to control access to the operation. You specify conditions in a policy's Condition element. For more information, see AWS KMS condition keys. This column also includes AWS global condition keys that are supported by AWS KMS, but not by all AWS services.

AWS KMS API operations and permissions
API operations and actions (permissions)	Policy type	Resources (for IAM policies)	AWS KMS condition keys
CancelKeyDeletion `kms:CancelKeyDeletion`	Key policy	CMK	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:ViaService`
ConnectCustomKeyStore `kms:ConnectCustomKeyStore`	IAM policy	`*`	`kms:CallerAccount`
CreateAlias `kms:CreateAlias` To use this operation, the caller needs `kms:CreateAlias` permission on two resources: The alias (in an IAM policy) The CMK (in a key policy)	IAM policy (for the alias)	Alias	None (when controlling access to the alias)
	Key policy (for the CMK)	CMK	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:ViaService`
CreateCustomKeyStore `kms:CreateCustomKeyStore`	IAM policy	`*`	`kms:CallerAccount`
CreateGrant `kms:CreateGrant`	Key policy	CMK	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:EncryptionContext:` `kms:EncryptionContextKeys` `kms:GrantConstraintType` `kms:GranteePrincipal` `kms:GrantIsForAWSResource` `kms:GrantOperations` `kms:RetiringPrincipal` `kms:ViaService`
CreateKey `kms:CreateKey`	IAM policy	`*`	`kms:BypassPolicyLockoutSafetyCheck` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin`
Decrypt `kms:Decrypt`	Key policy	CMK	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:EncryptionAlgorithm` `kms:EncryptionContext:` `kms:EncryptionContextKeys` `kms:ViaService`
DeleteAlias `kms:DeleteAlias` To use this operation, the caller needs `kms:DeleteAlias` permission on two resources: The alias (in an IAM policy) The CMK (in a key policy)	IAM policy (for the alias)	Alias	None (when controlling access to the alias)
	Key policy (for the CMK)	CMK	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:ViaService`
DeleteCustomKeyStore `kms:DeleteCustomKeyStore`	IAM policy	`*`	`kms:CallerAccount`
DeleteImportedKeyMaterial `kms:DeleteImportedKeyMaterial`	Key policy	CMK	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:ViaService`
DescribeCustomKeyStores `kms:DescribeCustomKeyStores`	IAM policy	`*`	`kms:CallerAccount`
DescribeKey `kms:DescribeKey`	Key policy	CMK	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:ViaService`
DisableKey `kms:DisableKey`	Key policy	CMK	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:ViaService`
DisableKeyRotation `kms:DisableKeyRotation`	Key policy	CMK	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:ViaService`
DisconnectCustomKeyStore `kms:DisconnectCustomKeyStore`	IAM policy	`*`	`kms:CallerAccount`
EnableKey `kms:EnableKey`	Key policy	CMK	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:ViaService`
EnableKeyRotation `kms:EnableKeyRotation`	Key policy	CMK (symmetric only)	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:ViaService`
Encrypt `kms:Encrypt`	Key policy	CMK	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:EncryptionAlgorithm` `kms:EncryptionContext:` `kms:EncryptionContextKeys` `kms:ViaService`
GenerateDataKey `kms:GenerateDataKey`	Key policy	CMK (symmetric only)	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:EncryptionAlgorithm` `kms:EncryptionContext:` `kms:EncryptionContextKeys` `kms:ViaService`
GenerateDataKeyPair `kms:GenerateDataKeyPair`	Key policy	CMK (symmetric only)	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:DataKeyPairSpec` `kms:EncryptionAlgorithm` `kms:EncryptionContext:` `kms:EncryptionContextKeys` `kms:ViaService`
GenerateDataKeyPairWithoutPlaintext `kms:GenerateDataKeyPairWithoutPlaintext`	Key policy	CMK (symmetric only)	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:DataKeyPairSpec` `kms:EncryptionAlgorithm` `kms:EncryptionContext:` `kms:EncryptionContextKeys` `kms:ViaService`
GenerateDataKeyWithoutPlaintext `kms:GenerateDataKeyWithoutPlaintext`	Key policy	CMK (symmetric only)	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:EncryptionAlgorithm` `kms:EncryptionContext:` `kms:EncryptionContextKeys` `kms:ViaService`
GenerateRandom `kms:GenerateRandom`	IAM policy	`*`	None
GetKeyPolicy `kms:GetKeyPolicy`	Key policy	CMK	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:ViaService`
GetKeyRotationStatus `kms:GetKeyRotationStatus`	Key policy	CMK (symmetric only)	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:ViaService`
GetParametersForImport `kms:GetParametersForImport`	Key policy	CMK (symmetric only)	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:ViaService` `kms:WrappingAlgorithm` `kms:WrappingKeySpec`
GetPublicKey `kms:GetPublicKey`	Key policy	CMK (asymmetric only)	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:ViaService`
ImportKeyMaterial `kms:ImportKeyMaterial`	Key policy	CMK (symmetric only)	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:ExpirationModel` `kms:ValidTo` `kms:ViaService`
ListAliases `kms:ListAliases`	IAM policy	`*`	None
ListGrants `kms:ListGrants`	Key policy	CMK	`kms:CallerAccount` `kms:GrantIsForAWSResource` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:ViaService`
ListKeyPolicies `kms:ListKeyPolicies`	Key policy	CMK	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:ViaService`
ListKeys `kms:ListKeys`	IAM policy	`*`	None
ListResourceTags `kms:ListResourceTags`	Key policy	CMK	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:ViaService`
ListRetirableGrants `kms:ListRetirableGrants`	IAM policy	`*`	None
PutKeyPolicy `kms:PutKeyPolicy`	Key policy	CMK	`kms:BypassPolicyLockoutSafetyCheck` `kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:ViaService`
ReEncrypt `kms:ReEncryptFrom` `kms:ReEncryptTo` To use this operation, the caller needs permission on two CMKs: `kms:ReEncryptFrom` on the CMK used to decrypt `kms:ReEncryptTo` on the CMK used to encrypt	Key policy	CMK	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:EncryptionAlgorithm` `kms:EncryptionContext:` `kms:EncryptionContextKeys` `kms:ReEncryptOnSameKey` `kms:ViaService`
RetireGrant Permission to retire a grant is specified in the grant. You cannot control access to this operation in a policy. For more information, see RetireGrant in the AWS Key Management Service API Reference.	Not applicable	Not applicable	Not applicable
RevokeGrant `kms:RevokeGrant`	Key policy	CMK	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:GrantIsForAWSResource` `kms:ViaService`
ScheduleKeyDeletion `kms:ScheduleKeyDeletion`	Key policy	CMK	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:ViaService`
Sign `kms:Sign`	Key policy	CMK (asymmetric only)	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:MessageType` `kms:SigningAlgorithm` `kms:ViaService`
TagResource `kms:TagResource`	Key policy	CMK	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:ViaService` `aws:RequestTag` (AWS global condition key) `aws:TagKeys` (AWS global condition key)
UntagResource `kms:UntagResource`	Key policy	CMK	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:ViaService` `aws:RequestTag` (AWS global condition key) `aws:TagKeys` (AWS global condition key)
UpdateAlias `kms:UpdateAlias` To use this operation, the caller needs `kms:UpdateAlias` permission on three resources: The alias The CMK that alias currently points to The CMK that is specified in the `UpdateAlias` request	IAM policy (for the alias)	Alias	None (when controlling access to the alias)
	Key policy (for the CMKs)	CMK	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:ViaService`
UpdateCustomKeyStore `kms:UpdateCustomKeyStore`	IAM policy	`*`	`kms:CallerAccount`
UpdateKeyDescription `kms:UpdateKeyDescription`	Key policy	CMK	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:ViaService`
Verify `kms:Verify`	Key policy	CMK (asymmetric only)	`kms:CallerAccount` `kms:CustomerMasterKeySpec` `kms:CustomerMasterKeyUsage` `kms:KeyOrigin` `kms:MessageType` `kms:SigningAlgorithm` `kms:ViaService`

Warning Javascript is disabled or is unavailable in your browser.

To use the AWS Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Allowing cross-account access to a CMK

Using policy conditions