AWS KMS API Permissions: Actions and Resources Reference
The Actions and Resources Table is designed to help you define access control in key policies and IAM policies. The columns provide the following information:
-
API Operations and Actions (Permissions) lists each AWS KMS API operation and the corresponding action (permission) that allows the operation. You specify actions in a policy's
Actionelement. -
Policy Type indicates whether the permission can be used in a key policy or IAM policy. When the type is key policy, you can specify the permission explicitly in the key policy. Or, if the key policy contains the policy statement that enables IAM policies, you can specify the permission in an IAM policy. When the type is IAM policy, you can specify the permission only in an IAM policy.
-
Resources and ARNs lists the resources for which you can allow the operation. To specify a resource in an IAM policy, type the Amazon Resource Name (ARN) in the
Resourceelement. Because a key policy applies only to the CMK that it is attached to, the value of itsResourceelement is always"*". -
AWS KMS Condition Keys lists the AWS KMS condition keys that you can use to control access to the operation. You specify conditions in a policy's
Conditionelement. For more information, see AWS KMS Condition Keys. This column also includes AWS global condition keys that are supported by AWS KMS, but not by all AWS services.
If you see an expand arrow (↗) in the upper-right corner of the table, you can open the table in a new window. To close the window, choose the close button (X) in the lower-right corner.
AWS KMS API Operations and Permissions
| API Operations and Actions (Permissions) | Policy Type | Resources and ARNs (for IAM Policies) | AWS KMS Condition Keys |
|---|---|---|---|
|
|
Key policy |
CMK
|
|
| ConnectCustomKeyStore
|
IAM policy | * |
kms:CallerAccount |
|
To use this
operation, the caller needs
|
IAM policy (for the alias) |
Alias
|
None (when controlling access to the alias) |
|
Key policy (for the CMK) |
CMK
|
|
|
| CreateCustomKeyStore
|
IAM policy | * |
kms:CallerAccount |
|
|
Key policy |
CMK
|
|
|
|
IAM policy |
|
|
|
|
Key policy |
CMK
|
|
|
To use this
operation, the caller needs
|
IAM policy (for the alias) |
Alias
|
None (when controlling access to the alias) |
|
Key policy (for the CMK) |
CMK
|
|
|
| DeleteCustomKeyStore
|
IAM policy | * |
kms:CallerAccount |
|
|
Key policy |
CMK
|
|
| DescribeCustomKeyStores
|
IAM policy | * |
kms:CallerAccount |
|
|
Key policy |
CMK
|
|
|
|
Key policy |
CMK
|
|
|
|
Key policy |
CMK
|
|
| DisconnectCustomKeyStore
|
IAM policy | * |
kms:CallerAccount |
|
|
Key policy |
CMK
|
|
|
|
Key policy |
CMK
|
|
|
|
Key policy |
CMK
|
|
|
|
Key policy |
CMK
|
|
|
GenerateDataKeyWithoutPlaintext
|
Key policy |
CMK
|
|
|
|
IAM policy |
|
None |
|
|
Key policy |
CMK
|
|
|
|
Key policy |
CMK
|
|
|
|
Key policy |
CMK
|
|
|
|
Key policy |
CMK
|
|
|
|
IAM policy |
|
None |
|
|
Key policy |
CMK
|
|
|
|
Key policy |
CMK
|
|
|
|
IAM policy |
|
None |
|
|
Key policy |
CMK
|
|
|
|
IAM policy |
|
None |
|
|
Key policy |
CMK
|
|
|
To use this operation, the caller needs permission on two CMKs:
|
Key policy |
CMK
|
|
|
Permission to retire a grant is specified in the grant. You cannot control access to this operation in a policy. For more information, see RetireGrant in the AWS Key Management Service API Reference. |
Not applicable |
Not applicable |
Not applicable |
|
|
Key policy |
CMK
|
|
|
|
Key policy |
CMK
|
|
|
|
Key policy |
CMK
|
|
|
|
Key policy |
CMK
|
|
|
To use this
operation, the caller needs
|
IAM policy (for the alias) |
Alias
|
None (when controlling access to the alias) |
|
Key policy (for the CMKs) |
CMK
|
|
|
| UpdateCustomKeyStore
|
IAM policy | * |
kms:CallerAccount |
|
|
Key policy |
CMK
|
|
