AWS KMS permissions
The AWS KMS permissions table lists the permissions for each AWS KMS operation so you can use them correctly in key policies and IAM policies.
Be cautious when giving principals permission to create and manage the policies and grants that control access to your customer master keys (CMKs). Principals who have permission to manage tags and aliases can also control access to a CMK. For details, see Using ABAC for AWS KMS.
You might need to scroll horizontally and vertically to see all of the data in this table.
Actions and permissions | Policy type | Resources (for IAM policies) | AWS KMS condition keys |
---|---|---|---|
|
Key policy |
CMK |
Conditions for CMK operations: aws:ResourceTag (AWS global condition key) |
ConnectCustomKeyStore
|
IAM policy |
|
|
To use this
operation, the caller needs
For details, see Controlling access to aliases. |
IAM policy (for the alias) |
Alias |
None (when controlling access to the alias) |
Key policy (for the CMK) |
CMK |
Conditions for CMK operations: aws:ResourceTag (AWS global condition key) |
|
CreateCustomKeyStore
|
IAM policy |
|
|
|
Key policy |
CMK |
Encryption context conditions: Grant conditions: Conditions for CMK operations: aws:ResourceTag (AWS global condition key) |
|
IAM policy |
|
kms:BypassPolicyLockoutSafetyCheck aws:RequestTag (AWS global condition key) |
|
Key policy |
CMK |
Conditions for cryptographic operations Encryption context conditions: Conditions for CMK operations: aws:ResourceTag (AWS global condition key) |
To use this
operation, the caller needs
For details, see Controlling access to aliases. |
IAM policy (for the alias) |
Alias |
None (when controlling access to the alias) |
Key policy (for the CMK) |
CMK |
Conditions for CMK operations: aws:ResourceTag (AWS global condition key) |
|
DeleteCustomKeyStore
|
IAM policy |
|
|
|
Key policy |
CMK |
Conditions for CMK operations: aws:ResourceTag (AWS global condition key) |
DescribeCustomKeyStores
|
IAM policy |
|
|
|
Key policy |
CMK |
Conditions for CMK operations: aws:ResourceTag (AWS global condition key) Other conditions: |
|
Key policy |
CMK |
Conditions for CMK operations: aws:ResourceTag (AWS global condition key) |
|
Key policy |
CMK |
Conditions for CMK operations: aws:ResourceTag (AWS global condition key) |
DisconnectCustomKeyStore
|
IAM policy |
|
|
|
Key policy |
CMK |
Conditions for CMK operations: aws:ResourceTag (AWS global condition key) |
|
Key policy |
CMK (symmetric only) |
Conditions for CMK operations: aws:ResourceTag (AWS global condition key) |
|
Key policy |
CMK |
Conditions for cryptographic operations Encryption context conditions: Conditions for CMK operations: aws:ResourceTag (AWS global condition key) |
|
Key policy |
CMK (symmetric only) |
Conditions for cryptographic operations Encryption context conditions: Conditions for CMK operations: aws:ResourceTag (AWS global condition key) |
|
Key policy |
CMK (symmetric only)
|
Conditions for data key pairs: Conditions for cryptographic operations Encryption context conditions: Conditions for CMK operations: aws:ResourceTag (AWS global condition key) |
GenerateDataKeyPairWithoutPlaintext
|
Key policy |
CMK (symmetric only)
|
Conditions for data key pairs: Conditions for cryptographic operations Encryption context conditions: Conditions for CMK operations: aws:ResourceTag (AWS global condition key) |
GenerateDataKeyWithoutPlaintext
|
Key policy |
CMK (symmetric only) |
Conditions for cryptographic operations Encryption context conditions: Conditions for CMK operations: aws:ResourceTag (AWS global condition key) |
|
IAM policy |
|
None |
|
Key policy |
CMK |
Conditions for CMK operations: aws:ResourceTag (AWS global condition key) |
|
Key policy |
CMK (symmetric only) |
Conditions for CMK operations: aws:ResourceTag (AWS global condition key) |
|
Key policy |
CMK (symmetric only) |
Conditions for CMK operations: aws:ResourceTag (AWS global condition key) |
|
Key policy |
CMK (asymmetric only) |
Conditions for CMK operations: aws:ResourceTag (AWS global condition key) Other conditions: |
|
Key policy |
CMK (symmetric only) |
Conditions for CMK operations: aws:ResourceTag (AWS global condition key) Other conditions: kms:ExpirationModel |
|
IAM policy |
|
None |
|
Key policy |
CMK |
Conditions for CMK operations: aws:ResourceTag (AWS global condition key) Other conditions: |
|
Key policy |
CMK |
Conditions for CMK operations: aws:ResourceTag (AWS global condition key) |
|
IAM policy |
|
None |
|
Key policy |
CMK |
Conditions for CMK operations: aws:ResourceTag (AWS global condition key) |
|
IAM policy |
|
None |
|
Key policy |
CMK |
Conditions for CMK operations: aws:ResourceTag (AWS global condition key) Other conditions: |
To use this operation, the caller needs permission on two CMKs:
|
Key policy |
CMK |
Conditions for cryptographic operations Encryption context conditions: Conditions for CMK operations: aws:ResourceTag (AWS global condition key) Other conditions: |
Permission to retire a grant is determined primarily by the grant. A policy alone cannot allow access to this operation. For more information, see Retiring and revoking grants. |
Key policy |
CMK |
aws:ResourceTag (AWS global condition key) |
|
Key policy |
CMK |
Conditions for CMK operations: aws:ResourceTag (AWS global condition key) Other conditions: |
|
Key policy |
CMK |
Conditions for CMK operations: aws:ResourceTag (AWS global condition key) |
|
Key policy |
CMK (asymmetric only) |
Conditions for signing and verification: Conditions for cryptographic operations Conditions for CMK operations: aws:ResourceTag (AWS global condition key) |
|
Key policy |
CMK |
Conditions for CMK operations: aws:ResourceTag (AWS global condition key) Conditions for tagging: aws:RequestTag (AWS global condition key) aws:TagKeys (AWS global condition key) |
|
Key policy |
CMK |
Conditions for CMK operations: aws:ResourceTag (AWS global condition key) Conditions for tagging: aws:RequestTag (AWS global condition key) aws:TagKeys (AWS global condition key) |
To use this
operation, the caller needs
For details, see Controlling access to aliases. |
IAM policy (for the alias) |
Alias |
None (when controlling access to the alias) |
Key policy (for the CMKs) |
CMK |
Conditions for CMK operations: aws:ResourceTag (AWS global condition key) |
|
UpdateCustomKeyStore
|
IAM policy |
|
|
|
Key policy |
CMK |
Conditions for CMK operations: aws:ResourceTag (AWS global condition key) |
|
Key policy |
CMK (asymmetric only) |
Conditions for signing and verification: Conditions for cryptographic operations Conditions for CMK operations: aws:ResourceTag (AWS global condition key) |
The columns in this table provide the following information:
-
Actions and permissions lists each AWS KMS API operation and the permission that allows the operation. You specify the operation in
Action
element of a policy statement. -
Policy type indicates whether the permission can be used in a key policy or IAM policy.
Key policy means that you can specify the permission in the key policy. When the key policy contains the policy statement that enables IAM policies, you can specify the permission in an IAM policy.
IAM policy means that you can specify the permission only in an IAM policy.
-
Resources lists the AWS KMS resources to which the permissions apply. AWS KMS supports two resource types: a customer master key (CMK) and an alias. In a key policy, the value of the
Resource
element is always*
, which indicates the CMK to which the key policy is attached.Use the following values to represent an AWS KMS resource in an IAM policy.
- CMK
-
When the resource is a customer master key (CMK), use its key ARN. For help, see Finding the key ID and ARN.
arn:
AWS_partition_name
:kms:AWS_Region
:AWS_account_ID
:key/key_ID
For example:
arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
- Alias
-
When the resource is an alias, use its alias ARN. For help, see Finding the alias name and alias ARN.
arn:
AWS_partition_name
:kms:AWS_region
:AWS_account_ID
:alias/alias_name
For example:
arn:aws:kms:us-west-2:111122223333:alias/ExampleAlias
*
(asterisk)-
When the permission doesn't apply to a particular resource (CMK or alias), use an asterisk (
*
).In an IAM policy for an AWS KMS permission, an asterisk in the
Resource
element indicates all AWS KMS resources (CMKs and aliases). You can also use an asterisk in theResource
element when the AWS KMS permission doesn't apply to any particular CMKs or aliases. For example, when allowing or denyingkms:CreateKey
orkms:ListKeys
permission, you can set theResource
element to*
or to an account-specific variation, such asarn:
.AWS_partition_name
:kms:AWS_region
:AWS_account_ID
:*
-
AWS KMS condition keys lists the AWS KMS condition keys that you can use to limit a permission. You specify conditions in a policy's
Condition
element. This column also includes AWS global condition keys that are supported by AWS KMS, but not by all AWS services.