AWS KMS permissions

This table is designed to help you understand AWS KMS permissions so you can control access to your AWS KMS resources. Definitions of the column headings appear below the table.

You can also learn about AWS KMS permissions in the Actions, resources, and condition keys for AWS Key Management Service topic of the Service Authorization Reference. However, that topic doesn't list all of the condition keys that you can use to refine each permission.

Note

You might have to scroll horizontally or vertically to see all of the data in the table.

Actions and permissions	Policy type	Cross-account use	Resources (for IAM policies)	AWS KMS condition keys
CancelKeyDeletion `kms:CancelKeyDeletion`	Key policy	No	KMS key	Conditions for KMS key operations: kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
ConnectCustomKeyStore `kms:ConnectCustomKeyStore`	IAM policy	No	`*`	kms:CallerAccount
CreateAlias `kms:CreateAlias` To use this operation, the caller needs `kms:CreateAlias` permission on two resources: The alias (in an IAM policy) The KMS key (in a key policy) For details, see Controlling access to aliases.	IAM policy (for the alias)	No	Alias	None (when controlling access to the alias)
	Key policy (for the KMS key)	No	KMS key	Conditions for KMS key operations: kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
CreateCustomKeyStore `kms:CreateCustomKeyStore`	IAM policy	No	`*`	kms:CallerAccount
CreateGrant `kms:CreateGrant`	Key policy	Yes	KMS key	Encryption context conditions: kms:EncryptionContext:context-key kms:EncryptionContextKeys Grant conditions: kms:GrantConstraintType kms:GranteePrincipal kms:GrantIsForAWSResource kms:GrantOperations kms:RetiringPrincipal Conditions for KMS key operations: kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
CreateKey `kms:CreateKey`	IAM policy	No	`*`	kms:BypassPolicyLockoutSafetyCheck kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ViaService aws:RequestTag/tag-key (AWS global condition key) aws:ResourceTag/tag-key (AWS global condition key) aws:TagKeys (AWS global condition key)
Decrypt `kms:Decrypt`	Key policy	Yes	KMS key	Conditions for cryptographic operations kms:EncryptionAlgorithm kms:RequestAlias Encryption context conditions: kms:EncryptionContext:context-key kms:EncryptionContextKeys Conditions for KMS key operations: kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
DeleteAlias `kms:DeleteAlias` To use this operation, the caller needs `kms:DeleteAlias` permission on two resources: The alias (in an IAM policy) The KMS key (in a key policy) For details, see Controlling access to aliases.	IAM policy (for the alias)	No	Alias	None (when controlling access to the alias)
	Key policy (for the KMS key)	No	KMS key	Conditions for KMS key operations: kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
DeleteCustomKeyStore `kms:DeleteCustomKeyStore`	IAM policy	No	`*`	kms:CallerAccount
DeleteImportedKeyMaterial `kms:DeleteImportedKeyMaterial`	Key policy	No	KMS key	Conditions for KMS key operations: kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
DescribeCustomKeyStores `kms:DescribeCustomKeyStores`	IAM policy	No	`*`	kms:CallerAccount
DescribeKey `kms:DescribeKey`	Key policy	Yes	KMS key	Conditions for KMS key operations: kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService Other conditions: kms:RequestAlias
DisableKey `kms:DisableKey`	Key policy	No	KMS key	Conditions for KMS key operations: kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
DisableKeyRotation `kms:DisableKeyRotation`	Key policy	No	KMS key	Conditions for KMS key operations: kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
DisconnectCustomKeyStore `kms:DisconnectCustomKeyStore`	IAM policy	No	`*`	kms:CallerAccount
EnableKey `kms:EnableKey`	Key policy	No	KMS key	Conditions for KMS key operations: kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
EnableKeyRotation `kms:EnableKeyRotation`	Key policy	No	KMS key (symmetric only)	Conditions for KMS key operations: kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
Encrypt `kms:Encrypt`	Key policy	Yes	KMS key	Conditions for cryptographic operations kms:EncryptionAlgorithm kms:RequestAlias Encryption context conditions: kms:EncryptionContext:context-key kms:EncryptionContextKeys Conditions for KMS key operations: kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
GenerateDataKey `kms:GenerateDataKey`	Key policy	Yes	KMS key (symmetric only)	Conditions for cryptographic operations kms:EncryptionAlgorithm kms:RequestAlias Encryption context conditions: kms:EncryptionContext:context-key kms:EncryptionContextKeys Conditions for KMS key operations: kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
GenerateDataKeyPair `kms:GenerateDataKeyPair`	Key policy	Yes	KMS key (symmetric only) `GenerateDataKeyPair` and `GenerateDataKeyPairWithoutPlaintext` generate an asymmetric data key pair that is protected by a symmetric encryption KMS key.	Conditions for data key pairs: kms:DataKeyPairSpec Conditions for cryptographic operations kms:EncryptionAlgorithm kms:RequestAlias Encryption context conditions: kms:EncryptionContext:context-key kms:EncryptionContextKeys Conditions for KMS key operations: kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
GenerateDataKeyPairWithoutPlaintext `kms:GenerateDataKeyPairWithoutPlaintext`	Key policy	Yes	KMS key (symmetric only) `GenerateDataKeyPair` and `GenerateDataKeyPairWithoutPlaintext` generate an asymmetric data key pair that is protected by a symmetric encryption KMS key.	Conditions for data key pairs: kms:DataKeyPairSpec Conditions for cryptographic operations kms:EncryptionAlgorithm kms:RequestAlias Encryption context conditions: kms:EncryptionContext:context-key kms:EncryptionContextKeys Conditions for KMS key operations: kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
GenerateDataKeyWithoutPlaintext `kms:GenerateDataKeyWithoutPlaintext`	Key policy	Yes	KMS key (symmetric only)	Conditions for cryptographic operations kms:EncryptionAlgorithm kms:RequestAlias Encryption context conditions: kms:EncryptionContext:context-key kms:EncryptionContextKeys Conditions for KMS key operations: kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
GenerateMac `kms:GenerateMac`	Key policy	Yes	KMS key	Conditions for KMS key operations: kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService Conditions for cryptographic operations: kms:MacAlgorithm kms:RequestAlias
GenerateRandom `kms:GenerateRandom`	IAM policy	N/A	`*`	None
GetKeyPolicy `kms:GetKeyPolicy`	Key policy	No	KMS key	Conditions for KMS key operations: kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
GetKeyRotationStatus `kms:GetKeyRotationStatus`	Key policy	Yes	KMS key (symmetric only)	Conditions for KMS key operations: kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
GetParametersForImport `kms:GetParametersForImport`	Key policy	No	KMS key (symmetric only)	kms:WrappingAlgorithm kms:WrappingKeySpec Conditions for KMS key operations: kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
GetPublicKey `kms:GetPublicKey`	Key policy	Yes	KMS key (asymmetric only)	Conditions for KMS key operations: kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService Other conditions: kms:RequestAlias
ImportKeyMaterial `kms:ImportKeyMaterial`	Key policy	No	KMS key (symmetric only)	Conditions for KMS key operations: kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService Other conditions: kms:ExpirationModel kms:ValidTo
ListAliases `kms:ListAliases`	IAM policy	No	`*`	None
ListGrants `kms:ListGrants`	Key policy	Yes	KMS key	Conditions for KMS key operations: kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService Other conditions: kms:GrantIsForAWSResource
ListKeyPolicies `kms:ListKeyPolicies`	Key policy	No	KMS key	Conditions for KMS key operations: kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
ListKeys `kms:ListKeys`	IAM policy	No	`*`	None
ListResourceTags `kms:ListResourceTags`	Key policy	No	KMS key	Conditions for KMS key operations: kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
ListRetirableGrants `kms:ListRetirableGrants`	IAM policy	The specified principal must be in the local account, but the operation returns grants in all accounts.	`*`	None
PutKeyPolicy `kms:PutKeyPolicy`	Key policy	No	KMS key	Conditions for KMS key operations: kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService Other conditions: kms:BypassPolicyLockoutSafetyCheck
ReEncrypt `kms:ReEncryptFrom` `kms:ReEncryptTo` To use this operation, the caller needs permission on two KMS keys: `kms:ReEncryptFrom` on the KMS key used to decrypt `kms:ReEncryptTo` on the KMS key used to encrypt	Key policy	Yes	KMS key	Conditions for cryptographic operations kms:EncryptionAlgorithm kms:RequestAlias Encryption context conditions: kms:EncryptionContext:context-key kms:EncryptionContextKeys Conditions for KMS key operations: kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService Other conditions: kms:ReEncryptOnSameKey
ReplicateKey `kms:ReplicateKey` To use this operation, the caller needs the following permissions: `kms:ReplicateKey` on the multi-Region primary key `kms:CreateKey` in an IAM policy in the replica Region	Key policy	No	KMS key	Conditions for KMS key operations: kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService Other conditions: kms:ReplicaRegion
RetireGrant `kms:RetireGrant` Permission to retire a grant is determined primarily by the grant. A policy alone cannot allow access to this operation. For more information, see Retiring and revoking grants.	IAM policy (This permission is not effective in a key policy.)	Yes	KMS key	kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key)
RevokeGrant `kms:RevokeGrant`	Key policy	Yes	KMS key	Conditions for KMS key operations: kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService Other conditions: kms:GrantIsForAWSResource
ScheduleKeyDeletion `kms:ScheduleKeyDeletion`	Key policy	No	KMS key	Conditions for KMS key operations: kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
Sign `kms:Sign`	Key policy	Yes	KMS key (asymmetric only)	Conditions for signing and verification: kms:MessageType kms:RequestAlias kms:SigningAlgorithm Conditions for KMS key operations: kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
TagResource `kms:TagResource`	Key policy	No	KMS key	Conditions for KMS key operations: kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService Conditions for tagging: aws:RequestTag/tag-key (AWS global condition key) aws:TagKeys (AWS global condition key)
UntagResource `kms:UntagResource`	Key policy	No	KMS key	Conditions for KMS key operations: kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService Conditions for tagging: aws:RequestTag/tag-key (AWS global condition key) aws:TagKeys (AWS global condition key)
UpdateAlias `kms:UpdateAlias` To use this operation, the caller needs `kms:UpdateAlias` permission on three resources: The alias The currently associated KMS key The newly associated KMS key For details, see Controlling access to aliases.	IAM policy (for the alias)	No	Alias	None (when controlling access to the alias)
	Key policy (for the KMS keys)	No	KMS key	Conditions for KMS key operations: kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
UpdateCustomKeyStore `kms:UpdateCustomKeyStore`	IAM policy	No	`*`	kms:CallerAccount
UpdateKeyDescription `kms:UpdateKeyDescription`	Key policy	No	KMS key	Conditions for KMS key operations: kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
UpdatePrimaryRegion `kms:UpdatePrimaryRegion` To use this operation, the caller needs `kms:UpdatePrimaryRegion` permission on both the multi-Region primary key that will become a replica key and the multi-Region replica key that will become the primary key.	Key policy	No	KMS key	Conditions for KMS key operations: kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService Other conditions kms:PrimaryRegion
Verify `kms:Verify`	Key policy	Yes	KMS key (asymmetric only)	Conditions for signing and verification: kms:MessageType kms:RequestAlias kms:SigningAlgorithm Conditions for KMS key operations: kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
VerifyMac `kms:VerifyMac`	Key policy	Yes	KMS key	Conditions for KMS key operations: kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService Conditions for cryptographic operations: kms:MacAlgorithm kms:RequestAlias

The columns in this table provide the following information:

Actions and permissions lists each AWS KMS API operation and the permission that allows the operation. You specify the operation in Action element of a policy statement.
Policy type indicates whether the permission can be used in a key policy or IAM policy.

Key policy means that you can specify the permission in the key policy. When the key policy contains the policy statement that enables IAM policies, you can specify the permission in an IAM policy.

IAM policy means that you can specify the permission only in an IAM policy.
Cross-account use shows the operations that authorized users can perform on resources in a different AWS account.

A value of Yes means that principals can perform the operation on resources in a different AWS account.

A value of No means that principals can perform the operation only on resources in their own AWS account.

If you give a principal in a different account a permission that can't be used on a cross-account resource, the permission is not effective. For example, if you give a principal in a different account kms:TagResource permission to a KMS key in your account, their attempts to tag the KMS key in your account will fail.
Resources lists the AWS KMS resources to which the permissions apply. AWS KMS supports two resource types: a KMS key and an alias. In a key policy, the value of the Resource element is always *, which indicates the KMS key to which the key policy is attached.

Use the following values to represent an AWS KMS resource in an IAM policy.

KMS key

When the resource is a KMS key, use its key ARN. For help, see Finding the key ID and key ARN.

arn:AWS_partition_name:kms:AWS_Region:AWS_account_ID:key/key_ID

For example:

arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

Alias

When the resource is an alias, use its alias ARN. For help, see Finding the alias name and alias ARN.

arn:AWS_partition_name:kms:AWS_region:AWS_account_ID:alias/alias_name

For example:

arn:aws:kms:us-west-2:111122223333:alias/ExampleAlias

* (asterisk)

When the permission doesn't apply to a particular resource (KMS key or alias), use an asterisk (*).

In an IAM policy for an AWS KMS permission, an asterisk in the Resource element indicates all AWS KMS resources (KMS keys and aliases). You can also use an asterisk in the Resource element when the AWS KMS permission doesn't apply to any particular KMS keys or aliases. For example, when allowing or denying kms:CreateKey or kms:ListKeys permission, you can set the Resource element to * or to an account-specific variation, such as arn:AWS_partition_name:kms:AWS_region:AWS_account_ID:*.
AWS KMS condition keys lists the AWS KMS condition keys that you can use to control access to the operation. You specify conditions in a policy's Condition element. For more information, see AWS KMS condition keys. This column also includes AWS global condition keys that are supported by AWS KMS, but not by all AWS services.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Troubleshooting key access

Special-purpose keys