AWS KMS API permissions: Actions and resources reference - AWS Key Management Service

AWS KMS API permissions: Actions and resources reference

The Actions and Resources Table is designed to help you define access control in key policies and IAM policies. The columns provide the following information:

  • API operations and actions (permissions) lists each AWS KMS API operation and the corresponding action (permission) that allows the operation. You specify actions in a policy's Action element.

  • Policy type indicates whether the permission can be used in a key policy or IAM policy. When the type is key policy, you can specify the permission explicitly in the key policy. Or, if the key policy contains the policy statement that enables IAM policies, you can specify the permission in an IAM policy. When the type is IAM policy, you can specify the permission only in an IAM policy.

  • Resources lists the AWS KMS resources to which the permissions apply. AWS KMS supports two resource types: a customer master key (CMK) and an alias. In a key policy, the value of the Resource element is always *, which indicates the CMK to which the key policy is attached.

    Use the following values to represent an AWS KMS resource in an IAM policy.

    CMK

    When the resource is a customer master key (CMK), use its key ARN. For help, see Finding the key ID and ARN.

    arn:AWS_partition_name:kms:AWS_Region:AWS_account_ID:key/key_ID

    For example:

    arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

    Alias

    When the resource is an alias, use its alias ARN. To get the alias ARN, use the ListAliases operation.

    arn:AWS_partition_name:kms:AWS_region:AWS_account_ID:alias/alias_name

    For example:

    arn:aws:kms:us-west-2:111122223333:alias/ExampleAlias

    * (asterisk)

    When the permission doesn't apply to a particular resource (CMK or alias), use an asterisk (*).

    In an IAM policy for an AWS KMS permission, an asterisk in the Resource element indicates all AWS KMS resources (CMKs and aliases). You can also use an asterisk in the Resource element when the AWS KMS permission doesn't apply to any particular CMKs or aliases. For example, when allowing or denying kms:CreateKey or kms:ListKeys permission, you can set the Resource element to * or to an account-specific variation, such as arn:AWS_partition_name:kms:AWS_region:AWS_account_ID:*.

  • AWS KMS condition keys lists the AWS KMS condition keys that you can use to control access to the operation. You specify conditions in a policy's Condition element. For more information, see AWS KMS condition keys. This column also includes AWS global condition keys that are supported by AWS KMS, but not by all AWS services.

AWS KMS API operations and permissions
API operations and actions (permissions) Policy type Resources (for IAM policies) AWS KMS condition keys

CancelKeyDeletion

kms:CancelKeyDeletion

Key policy

CMK

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ViaService

ConnectCustomKeyStore

kms:ConnectCustomKeyStore

IAM policy

*

kms:CallerAccount

CreateAlias

kms:CreateAlias

To use this operation, the caller needs kms:CreateAlias permission on two resources:

  • The alias (in an IAM policy)

  • The CMK (in a key policy)

For details, see Controlling access to aliases.

IAM policy (for the alias)

Alias

None (when controlling access to the alias)

Key policy (for the CMK)

CMK

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ViaService
CreateCustomKeyStore

kms:CreateCustomKeyStore

IAM policy

*

kms:CallerAccount

CreateGrant

kms:CreateGrant

Key policy

CMK

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:EncryptionContext:

kms:EncryptionContextKeys

kms:GrantConstraintType

kms:GranteePrincipal

kms:GrantIsForAWSResource

kms:GrantOperations

kms:RetiringPrincipal

kms:ViaService

CreateKey

kms:CreateKey

IAM policy

*

kms:BypassPolicyLockoutSafetyCheck

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

Decrypt

kms:Decrypt

Key policy

CMK

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:EncryptionAlgorithm

kms:EncryptionContext:

kms:EncryptionContextKeys

kms:ViaService

DeleteAlias

kms:DeleteAlias

To use this operation, the caller needs kms:DeleteAlias permission on two resources:

  • The alias (in an IAM policy)

  • The CMK (in a key policy)

For details, see Controlling access to aliases.

IAM policy (for the alias)

Alias

None (when controlling access to the alias)

Key policy (for the CMK)

CMK

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ViaService

DeleteCustomKeyStore

kms:DeleteCustomKeyStore

IAM policy

*

kms:CallerAccount

DeleteImportedKeyMaterial

kms:DeleteImportedKeyMaterial

Key policy

CMK

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ViaService

DescribeCustomKeyStores

kms:DescribeCustomKeyStores

IAM policy

*

kms:CallerAccount

DescribeKey

kms:DescribeKey

Key policy

CMK

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ViaService

DisableKey

kms:DisableKey

Key policy

CMK

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ViaService

DisableKeyRotation

kms:DisableKeyRotation

Key policy

CMK

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ViaService

DisconnectCustomKeyStore

kms:DisconnectCustomKeyStore

IAM policy

*

EnableKey

kms:EnableKey

Key policy

CMK

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ViaService

EnableKeyRotation

kms:EnableKeyRotation

Key policy

CMK (symmetric only)

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ViaService

Encrypt

kms:Encrypt

Key policy

CMK

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:EncryptionAlgorithm

kms:EncryptionContext:

kms:EncryptionContextKeys

kms:ViaService

GenerateDataKey

kms:GenerateDataKey

Key policy

CMK (symmetric only)

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:EncryptionAlgorithm

kms:EncryptionContext:

kms:EncryptionContextKeys

kms:ViaService

GenerateDataKeyPair

kms:GenerateDataKeyPair

Key policy

CMK (symmetric only)

GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext generate an asymmetric data key pair that is protected by a symmetric CMK.

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:DataKeyPairSpec

kms:EncryptionAlgorithm

kms:EncryptionContext:

kms:EncryptionContextKeys

kms:ViaService

GenerateDataKeyPairWithoutPlaintext

kms:GenerateDataKeyPairWithoutPlaintext

Key policy

CMK (symmetric only)

GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext generate an asymmetric data key pair that is protected by a symmetric CMK.

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:DataKeyPairSpec

kms:EncryptionAlgorithm

kms:EncryptionContext:

kms:EncryptionContextKeys

kms:ViaService

GenerateDataKeyWithoutPlaintext

kms:GenerateDataKeyWithoutPlaintext

Key policy

CMK (symmetric only)

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:EncryptionAlgorithm

kms:EncryptionContext:

kms:EncryptionContextKeys

kms:ViaService

GenerateRandom

kms:GenerateRandom

IAM policy

*

None

GetKeyPolicy

kms:GetKeyPolicy

Key policy

CMK

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ViaService

GetKeyRotationStatus

kms:GetKeyRotationStatus

Key policy

CMK (symmetric only)

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ViaService

GetParametersForImport

kms:GetParametersForImport

Key policy

CMK (symmetric only)

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ViaService

kms:WrappingAlgorithm

kms:WrappingKeySpec

GetPublicKey

kms:GetPublicKey

Key policy

CMK (asymmetric only)

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ViaService

ImportKeyMaterial

kms:ImportKeyMaterial

Key policy

CMK (symmetric only)

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ExpirationModel

kms:ValidTo

kms:ViaService

ListAliases

kms:ListAliases

IAM policy

*

None

ListGrants

kms:ListGrants

Key policy

CMK

kms:CallerAccount

kms:GrantIsForAWSResource

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ViaService

ListKeyPolicies

kms:ListKeyPolicies

Key policy

CMK

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ViaService

ListKeys

kms:ListKeys

IAM policy

*

None

ListResourceTags

kms:ListResourceTags

Key policy

CMK

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ViaService

ListRetirableGrants

kms:ListRetirableGrants

IAM policy

*

None

PutKeyPolicy

kms:PutKeyPolicy

Key policy

CMK

kms:BypassPolicyLockoutSafetyCheck

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ViaService

ReEncrypt

kms:ReEncryptFrom

kms:ReEncryptTo

To use this operation, the caller needs permission on two CMKs:

  • kms:ReEncryptFrom on the CMK used to decrypt

  • kms:ReEncryptTo on the CMK used to encrypt

Key policy

CMK

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:EncryptionAlgorithm

kms:EncryptionContext:

kms:EncryptionContextKeys

kms:ReEncryptOnSameKey

kms:ViaService

RetireGrant

Permission to retire a grant is specified in the grant. You cannot control access to this operation in a policy. For more information, see RetireGrant in the AWS Key Management Service API Reference.

Not applicable

Not applicable

Not applicable

RevokeGrant

kms:RevokeGrant

Key policy

CMK

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:GrantIsForAWSResource

kms:ViaService

ScheduleKeyDeletion

kms:ScheduleKeyDeletion

Key policy

CMK

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ViaService

Sign

kms:Sign

Key policy

CMK (asymmetric only)

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:MessageType

kms:SigningAlgorithm

kms:ViaService

TagResource

kms:TagResource

Key policy

CMK

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ViaService

aws:RequestTag (AWS global condition key)

aws:TagKeys (AWS global condition key)

UntagResource

kms:UntagResource

Key policy

CMK

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ViaService

aws:RequestTag (AWS global condition key)

aws:TagKeys (AWS global condition key)

UpdateAlias

kms:UpdateAlias

To use this operation, the caller needs kms:UpdateAlias permission on three resources:

  • The alias

  • The currently associated CMK

  • The newly associated CMK

For details, see Controlling access to aliases.

IAM policy (for the alias)

Alias

None (when controlling access to the alias)

Key policy (for the CMKs)

CMK

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ViaService

UpdateCustomKeyStore

kms:UpdateCustomKeyStore

IAM policy

*

kms:CallerAccount

UpdateKeyDescription

kms:UpdateKeyDescription

Key policy

CMK

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:ViaService

Verify

kms:Verify

Key policy

CMK (asymmetric only)

kms:CallerAccount

kms:CustomerMasterKeySpec

kms:CustomerMasterKeyUsage

kms:KeyOrigin

kms:MessageType

kms:SigningAlgorithm

kms:ViaService