AWS KMS permissions

The AWS KMS permissions table lists the permissions for each AWS KMS operation so you can use them correctly in key policies and IAM policies.

Important

Be cautious when giving principals permission to create and manage the policies and grants that control access to your customer master keys (CMKs). Principals who have permission to manage tags and aliases can also control access to a CMK. For details, see Using ABAC for AWS KMS.

Note

You might need to scroll horizontally and vertically to see all of the data in this table.

Actions and permissions	Policy type	Resources (for IAM policies)	AWS KMS condition keys
CancelKeyDeletion `kms:CancelKeyDeletion`	Key policy	CMK	Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
ConnectCustomKeyStore `kms:ConnectCustomKeyStore`	IAM policy	`*`	kms:CallerAccount
CreateAlias `kms:CreateAlias` To use this operation, the caller needs `kms:CreateAlias` permission on two resources: The alias (in an IAM policy) The CMK (in a key policy) For details, see Controlling access to aliases.	IAM policy (for the alias)	Alias	None (when controlling access to the alias)
	Key policy (for the CMK)	CMK	Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
CreateCustomKeyStore `kms:CreateCustomKeyStore`	IAM policy	`*`	kms:CallerAccount
CreateGrant `kms:CreateGrant`	Key policy	CMK	Encryption context conditions: kms:EncryptionContext:context-key kms:EncryptionContextKeys Grant conditions: kms:GrantConstraintType kms:GranteePrincipal kms:GrantIsForAWSResource kms:GrantOperations kms:RetiringPrincipal Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
CreateKey `kms:CreateKey`	IAM policy	`*`	kms:BypassPolicyLockoutSafetyCheck kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin aws:RequestTag/tag-key (AWS global condition key)
Decrypt `kms:Decrypt`	Key policy	CMK	Conditions for cryptographic operations kms:EncryptionAlgorithm kms:RequestAlias Encryption context conditions: kms:EncryptionContext:context-key kms:EncryptionContextKeys Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
DeleteAlias `kms:DeleteAlias` To use this operation, the caller needs `kms:DeleteAlias` permission on two resources: The alias (in an IAM policy) The CMK (in a key policy) For details, see Controlling access to aliases.	IAM policy (for the alias)	Alias	None (when controlling access to the alias)
	Key policy (for the CMK)	CMK	Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
DeleteCustomKeyStore `kms:DeleteCustomKeyStore`	IAM policy	`*`	kms:CallerAccount
DeleteImportedKeyMaterial `kms:DeleteImportedKeyMaterial`	Key policy	CMK	Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
DescribeCustomKeyStores `kms:DescribeCustomKeyStores`	IAM policy	`*`	kms:CallerAccount
DescribeKey `kms:DescribeKey`	Key policy	CMK	Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService Other conditions: kms:RequestAlias
DisableKey `kms:DisableKey`	Key policy	CMK	Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
DisableKeyRotation `kms:DisableKeyRotation`	Key policy	CMK	Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
DisconnectCustomKeyStore `kms:DisconnectCustomKeyStore`	IAM policy	`*`	kms:CallerAccount
EnableKey `kms:EnableKey`	Key policy	CMK	Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
EnableKeyRotation `kms:EnableKeyRotation`	Key policy	CMK (symmetric only)	Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
Encrypt `kms:Encrypt`	Key policy	CMK	Conditions for cryptographic operations kms:EncryptionAlgorithm kms:RequestAlias Encryption context conditions: kms:EncryptionContext:context-key kms:EncryptionContextKeys Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
GenerateDataKey `kms:GenerateDataKey`	Key policy	CMK (symmetric only)	Conditions for cryptographic operations kms:EncryptionAlgorithm kms:RequestAlias Encryption context conditions: kms:EncryptionContext:context-key kms:EncryptionContextKeys Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
GenerateDataKeyPair `kms:GenerateDataKeyPair`	Key policy	CMK (symmetric only) `GenerateDataKeyPair` and `GenerateDataKeyPairWithoutPlaintext` generate an asymmetric data key pair that is protected by a symmetric CMK.	Conditions for data key pairs: kms:DataKeyPairSpec Conditions for cryptographic operations kms:EncryptionAlgorithm kms:RequestAlias Encryption context conditions: kms:EncryptionContext:context-key kms:EncryptionContextKeys Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
GenerateDataKeyPairWithoutPlaintext `kms:GenerateDataKeyPairWithoutPlaintext`	Key policy	CMK (symmetric only) `GenerateDataKeyPair` and `GenerateDataKeyPairWithoutPlaintext` generate an asymmetric data key pair that is protected by a symmetric CMK.	Conditions for data key pairs: kms:DataKeyPairSpec Conditions for cryptographic operations kms:EncryptionAlgorithm kms:RequestAlias Encryption context conditions: kms:EncryptionContext:context-key kms:EncryptionContextKeys Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
GenerateDataKeyWithoutPlaintext `kms:GenerateDataKeyWithoutPlaintext`	Key policy	CMK (symmetric only)	Conditions for cryptographic operations kms:EncryptionAlgorithm kms:RequestAlias Encryption context conditions: kms:EncryptionContext:context-key kms:EncryptionContextKeys Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
GenerateRandom `kms:GenerateRandom`	IAM policy	`*`	None
GetKeyPolicy `kms:GetKeyPolicy`	Key policy	CMK	Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
GetKeyRotationStatus `kms:GetKeyRotationStatus`	Key policy	CMK (symmetric only)	Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
GetParametersForImport `kms:GetParametersForImport`	Key policy	CMK (symmetric only)	kms:WrappingAlgorithm kms:WrappingKeySpec Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
GetPublicKey `kms:GetPublicKey`	Key policy	CMK (asymmetric only)	Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService Other conditions: kms:RequestAlias
ImportKeyMaterial `kms:ImportKeyMaterial`	Key policy	CMK (symmetric only)	Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService Other conditions: kms:ExpirationModel kms:ValidTo
ListAliases `kms:ListAliases`	IAM policy	`*`	None
ListGrants `kms:ListGrants`	Key policy	CMK	Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService Other conditions: kms:GrantIsForAWSResource
ListKeyPolicies `kms:ListKeyPolicies`	Key policy	CMK	Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
ListKeys `kms:ListKeys`	IAM policy	`*`	None
ListResourceTags `kms:ListResourceTags`	Key policy	CMK	Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
ListRetirableGrants `kms:ListRetirableGrants`	IAM policy	`*`	None
PutKeyPolicy `kms:PutKeyPolicy`	Key policy	CMK	Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService Other conditions: kms:BypassPolicyLockoutSafetyCheck
ReEncrypt `kms:ReEncryptFrom` `kms:ReEncryptTo` To use this operation, the caller needs permission on two CMKs: `kms:ReEncryptFrom` on the CMK used to decrypt `kms:ReEncryptTo` on the CMK used to encrypt	Key policy	CMK	Conditions for cryptographic operations kms:EncryptionAlgorithm kms:RequestAlias Encryption context conditions: kms:EncryptionContext:context-key kms:EncryptionContextKeys Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService Other conditions: kms:ReEncryptOnSameKey
RetireGrant `kms:RetireGrant` Permission to retire a grant is determined primarily by the grant. A policy alone cannot allow access to this operation. For more information, see Retiring and revoking grants.	Key policy	CMK	kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key)
RevokeGrant `kms:RevokeGrant`	Key policy	CMK	Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService Other conditions: kms:GrantIsForAWSResource
ScheduleKeyDeletion `kms:ScheduleKeyDeletion`	Key policy	CMK	Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
Sign `kms:Sign`	Key policy	CMK (asymmetric only)	Conditions for signing and verification: kms:MessageType kms:SigningAlgorithm Conditions for cryptographic operations kms:EncryptionAlgorithm kms:RequestAlias Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
TagResource `kms:TagResource`	Key policy	CMK	Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService Conditions for tagging: aws:RequestTag/tag-key (AWS global condition key) aws:TagKeys (AWS global condition key)
UntagResource `kms:UntagResource`	Key policy	CMK	Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService Conditions for tagging: aws:RequestTag/tag-key (AWS global condition key) aws:TagKeys (AWS global condition key)
UpdateAlias `kms:UpdateAlias` To use this operation, the caller needs `kms:UpdateAlias` permission on three resources: The alias The currently associated CMK The newly associated CMK For details, see Controlling access to aliases.	IAM policy (for the alias)	Alias	None (when controlling access to the alias)
	Key policy (for the CMKs)	CMK	Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
UpdateCustomKeyStore `kms:UpdateCustomKeyStore`	IAM policy	`*`	kms:CallerAccount
UpdateKeyDescription `kms:UpdateKeyDescription`	Key policy	CMK	Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
Verify `kms:Verify`	Key policy	CMK (asymmetric only)	Conditions for signing and verification: kms:MessageType kms:SigningAlgorithm Conditions for cryptographic operations kms:EncryptionAlgorithm kms:RequestAlias Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService

The columns in this table provide the following information:

Actions and permissions lists each AWS KMS API operation and the permission that allows the operation. You specify the operation in Action element of a policy statement.
Policy type indicates whether the permission can be used in a key policy or IAM policy.

Key policy means that you can specify the permission in the key policy. When the key policy contains the policy statement that enables IAM policies, you can specify the permission in an IAM policy.

IAM policy means that you can specify the permission only in an IAM policy.
Resources lists the AWS KMS resources to which the permissions apply. AWS KMS supports two resource types: a customer master key (CMK) and an alias. In a key policy, the value of the Resource element is always *, which indicates the CMK to which the key policy is attached.

Use the following values to represent an AWS KMS resource in an IAM policy.

CMK

When the resource is a customer master key (CMK), use its key ARN. For help, see Finding the key ID and ARN.

arn:AWS_partition_name:kms:AWS_Region:AWS_account_ID:key/key_ID

For example:

arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

Alias

When the resource is an alias, use its alias ARN. For help, see Finding the alias name and alias ARN.

arn:AWS_partition_name:kms:AWS_region:AWS_account_ID:alias/alias_name

For example:

arn:aws:kms:us-west-2:111122223333:alias/ExampleAlias

* (asterisk)

When the permission doesn't apply to a particular resource (CMK or alias), use an asterisk (*).

In an IAM policy for an AWS KMS permission, an asterisk in the Resource element indicates all AWS KMS resources (CMKs and aliases). You can also use an asterisk in the Resource element when the AWS KMS permission doesn't apply to any particular CMKs or aliases. For example, when allowing or denying kms:CreateKey or kms:ListKeys permission, you can set the Resource element to * or to an account-specific variation, such as arn:AWS_partition_name:kms:AWS_region:AWS_account_ID:*.
AWS KMS condition keys lists the AWS KMS condition keys that you can use to limit a permission. You specify conditions in a policy's Condition element. This column also includes AWS global condition keys that are supported by AWS KMS, but not by all AWS services.

Warning Javascript is disabled or is unavailable in your browser.

To use the AWS Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Allowing cross-account access to a CMK

Using policy conditions