AWS KMS API Permissions: Actions and Resources Reference

The Actions and Resources Table is designed to help you define access control in key policies and IAM policies. The columns provide the following information:

API Operations and Actions (Permissions) lists each AWS KMS API operation and the corresponding action (permission) that allows the operation. You specify actions in a policy's Action element.
Policy Type indicates whether the permission can be used in a key policy or IAM policy. When the type is key policy, you can specify the permission explicitly in the key policy. Or, if the key policy contains the policy statement that enables IAM policies, you can specify the permission in an IAM policy. When the type is IAM policy, you can specify the permission only in an IAM policy.
Resources and ARNs lists the resources for which you can allow the operation. To specify a resource in an IAM policy, type the Amazon Resource Name (ARN) in the Resource element. Because a key policy applies only to the CMK that it is attached to, the value of its Resource element is always "*".
AWS KMS Condition Keys lists the AWS KMS condition keys that you can use to control access to the operation. You specify conditions in a policy's Condition element. For more information, see AWS KMS Condition Keys. This column also includes AWS global condition keys that are supported by AWS KMS, but not by all AWS services.

If you see an expand arrow (↗) in the upper-right corner of the table, you can open the table in a new window. To close the window, choose the close button (X) in the lower-right corner.

AWS KMS API Operations and Permissions

API Operations and Actions (Permissions) Policy Type Resources and ARNs (for IAM Policies) AWS KMS Condition Keys

API Operations and Actions (Permissions)	Policy Type	Resources and ARNs (for IAM Policies)	AWS KMS Condition Keys
CancelKeyDeletion `kms:CancelKeyDeletion`	Key policy	CMK `arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID`	`kms:CallerAccount` `kms:ViaService`
CreateAlias `kms:CreateAlias` To use this operation, the caller needs `kms:CreateAlias` permission on two resources: The alias (in an IAM policy) The CMK (in a key policy)	IAM policy (for the alias)	Alias `arn:aws:kms:AWS_region:AWS_account_ID:alias/alias_name`	None (when controlling access to the alias)
Key policy (for the CMK)	CMK `arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID`	`kms:CallerAccount` `kms:ViaService`
CreateGrant `kms:CreateGrant`	Key policy	CMK `arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID`	`kms:CallerAccount` `kms:EncryptionContext:` `kms:EncryptionContextKeys` `kms:GrantConstraintType` `kms:GranteePrincipal` `kms:GrantIsForAWSResource` `kms:GrantOperations` `kms:RetiringPrincipal` `kms:ViaService`
CreateKey `kms:CreateKey`	IAM policy	`*`	`kms:BypassPolicyLockoutSafetyCheck` `kms:KeyOrigin`
Decrypt `kms:Decrypt`	Key policy	CMK `arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID`	`kms:CallerAccount` `kms:EncryptionContext:` `kms:EncryptionContextKeys` `kms:ViaService`
DeleteAlias `kms:DeleteAlias` To use this operation, the caller needs `kms:DeleteAlias` permission on two resources: The alias (in an IAM policy) The CMK (in a key policy)	IAM policy (for the alias)	Alias `arn:aws:kms:AWS_region:AWS_account_ID:alias/alias_name`	None (when controlling access to the alias)
Key policy (for the CMK)	CMK `arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID`	`kms:CallerAccount` `kms:ViaService`
DeleteImportedKeyMaterial `kms:DeleteImportedKeyMaterial`	Key policy	CMK `arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID`	`kms:CallerAccount` `kms:ViaService`
DescribeKey `kms:DescribeKey`	Key policy	CMK `arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID`	`kms:CallerAccount` `kms:ViaService`
DisableKey `kms:DisableKey`	Key policy	CMK `arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID`	`kms:CallerAccount` `kms:ViaService`
DisableKeyRotation `kms:DisableKeyRotation`	Key policy	CMK `arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID`	`kms:CallerAccount` `kms:ViaService`
EnableKey `kms:EnableKey`	Key policy	CMK `arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID`	`kms:CallerAccount` `kms:ViaService`
EnableKeyRotation `kms:EnableKeyRotation`	Key policy	CMK `arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID`	`kms:CallerAccount` `kms:ViaService`
Encrypt `kms:Encrypt`	Key policy	CMK `arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID`	`kms:CallerAccount` `kms:EncryptionContext:` `kms:EncryptionContextKeys` `kms:ViaService`
GenerateDataKey `kms:GenerateDataKey`	Key policy	CMK `arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID`	`kms:CallerAccount` `kms:EncryptionContext:` `kms:EncryptionContextKeys` `kms:ViaService`
GenerateDataKeyWithoutPlaintext `kms:GenerateDataKeyWithoutPlaintext`	Key policy	CMK `arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID`	`kms:CallerAccount` `kms:EncryptionContext:` `kms:EncryptionContextKeys` `kms:ViaService`
GenerateRandom `kms:GenerateRandom`	IAM policy	`*`	None
GetKeyPolicy `kms:GetKeyPolicy`	Key policy	CMK `arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID`	`kms:CallerAccount` `kms:ViaService`
GetKeyRotationStatus `kms:GetKeyRotationStatus`	Key policy	CMK `arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID`	`kms:CallerAccount` `kms:ViaService`
GetParametersForImport `kms:GetParametersForImport`	Key policy	CMK `arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID`	`kms:CallerAccount` `kms:ViaService` `kms:WrappingAlgorithm` `kms:WrappingKeySpec`
ImportKeyMaterial `kms:ImportKeyMaterial`	Key policy	CMK `arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID`	`kms:CallerAccount` `kms:ExpirationModel` `kms:ValidTo` `kms:ViaService`
ListAliases `kms:ListAliases`	IAM policy	`*`	None
ListGrants `kms:ListGrants`	Key policy	CMK `arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID`	`kms:CallerAccount` `kms:ViaService`
ListKeyPolicies `kms:ListKeyPolicies`	Key policy	CMK `arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID`	`kms:CallerAccount` `kms:ViaService`
ListKeys `kms:ListKeys`	IAM policy	`*`	None
ListResourceTags `kms:ListResourceTags`	Key policy	CMK `arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID`	`kms:CallerAccount` `kms:ViaService`
ListRetirableGrants `kms:ListRetirableGrants`	IAM policy	`*`	None
PutKeyPolicy `kms:PutKeyPolicy`	Key policy	CMK `arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID`	`kms:BypassPolicyLockoutSafetyCheck` `kms:CallerAccount` `kms:ViaService`
ReEncrypt `kms:ReEncryptFrom` `kms:ReEncryptTo` To use this operation, the caller needs permission on two CMKs: `kms:ReEncryptFrom` on the CMK used to decrypt `kms:ReEncryptTo` on the CMK used to encrypt	Key policy	CMK `arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID`	`kms:CallerAccount` `kms:EncryptionContext:` `kms:EncryptionContextKeys` `kms:ReEncryptOnSameKey` `kms:ViaService`
RetireGrant Permission to retire a grant is specified in the grant. You cannot control access to this operation in a policy. For more information, see RetireGrant in the AWS Key Management Service API Reference.	Not applicable	Not applicable	Not applicable
RevokeGrant `kms:RevokeGrant`	Key policy	CMK `arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID`	`kms:CallerAccount` `kms:ViaService`
ScheduleKeyDeletion `kms:ScheduleKeyDeletion`	Key policy	CMK `arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID`	`kms:CallerAccount` `kms:ViaService`
TagResource `kms:TagResource`	Key policy	CMK `arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID`	`kms:CallerAccount` `kms:ViaService` `aws:RequestTag` (AWS global condition key) `aws:TagKeys` (AWS global condition key)
UntagResource `kms:UntagResource`	Key policy	CMK `arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID`	`kms:CallerAccount` `kms:ViaService` `aws:RequestTag` (AWS global condition key) `aws:TagKeys` (AWS global condition key)
UpdateAlias `kms:UpdateAlias` To use this operation, the caller needs `kms:UpdateAlias` permission on three resources: The alias The CMK that that alias currently points to The CMK that is specified in the `UpdateAlias` request	IAM policy (for the alias)	Alias `arn:aws:kms:AWS_region:AWS_account_ID:alias/alias_name`	None (when controlling access to the alias)
Key policy (for the CMKs)	CMK `arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID`	`kms:CallerAccount` `kms:ViaService`
UpdateKeyDescription `kms:UpdateKeyDescription`	Key policy	CMK `arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID`	`kms:CallerAccount` `kms:ViaService`

CancelKeyDeletion

kms:CancelKeyDeletion

Key policy

CMK

arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID

kms:CallerAccount

kms:ViaService

CreateAlias

kms:CreateAlias

To use this operation, the caller needs kms:CreateAlias permission on two resources:

The alias (in an IAM policy)
The CMK (in a key policy)

IAM policy (for the alias)

Alias

arn:aws:kms:AWS_region:AWS_account_ID:alias/alias_name

None (when controlling access to the alias)

Key policy (for the CMK)

CMK

arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID

kms:CallerAccount

kms:ViaService

CreateGrant

kms:CreateGrant

Key policy

CMK

arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID

kms:CallerAccount

kms:EncryptionContext:

kms:EncryptionContextKeys

kms:GrantConstraintType

kms:GranteePrincipal

kms:GrantIsForAWSResource

kms:GrantOperations

kms:RetiringPrincipal

kms:ViaService

CreateKey

kms:CreateKey

IAM policy

*

kms:BypassPolicyLockoutSafetyCheck

kms:KeyOrigin

Decrypt

kms:Decrypt

Key policy

CMK

arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID

kms:CallerAccount

kms:EncryptionContext:

kms:EncryptionContextKeys

kms:ViaService

DeleteAlias

kms:DeleteAlias

To use this operation, the caller needs kms:DeleteAlias permission on two resources:

The alias (in an IAM policy)
The CMK (in a key policy)

IAM policy (for the alias)

Alias

arn:aws:kms:AWS_region:AWS_account_ID:alias/alias_name

None (when controlling access to the alias)

Key policy (for the CMK)

CMK

arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID

kms:CallerAccount

kms:ViaService

DeleteImportedKeyMaterial

kms:DeleteImportedKeyMaterial

Key policy

CMK

arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID

kms:CallerAccount

kms:ViaService

DescribeKey

kms:DescribeKey

Key policy

CMK

arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID

kms:CallerAccount

kms:ViaService

DisableKey

kms:DisableKey

Key policy

CMK

arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID

kms:CallerAccount

kms:ViaService

DisableKeyRotation

kms:DisableKeyRotation

Key policy

CMK

arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID

kms:CallerAccount

kms:ViaService

EnableKey

kms:EnableKey

Key policy

CMK

arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID

kms:CallerAccount

kms:ViaService

EnableKeyRotation

kms:EnableKeyRotation

Key policy

CMK

arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID

kms:CallerAccount

kms:ViaService

Encrypt

kms:Encrypt

Key policy

CMK

arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID

kms:CallerAccount

kms:EncryptionContext:

kms:EncryptionContextKeys

kms:ViaService

GenerateDataKey

kms:GenerateDataKey

Key policy

CMK

arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID

kms:CallerAccount

kms:EncryptionContext:

kms:EncryptionContextKeys

kms:ViaService

GenerateDataKeyWithoutPlaintext

kms:GenerateDataKeyWithoutPlaintext

Key policy

CMK

arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID

kms:CallerAccount

kms:EncryptionContext:

kms:EncryptionContextKeys

kms:ViaService

GenerateRandom

kms:GenerateRandom

IAM policy

*

None

GetKeyPolicy

kms:GetKeyPolicy

Key policy

CMK

arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID

kms:CallerAccount

kms:ViaService

GetKeyRotationStatus

kms:GetKeyRotationStatus

Key policy

CMK

arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID

kms:CallerAccount

kms:ViaService

GetParametersForImport

kms:GetParametersForImport

Key policy

CMK

arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID

kms:CallerAccount

kms:ViaService

kms:WrappingAlgorithm

kms:WrappingKeySpec

ImportKeyMaterial

kms:ImportKeyMaterial

Key policy

CMK

arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID

kms:CallerAccount

kms:ExpirationModel

kms:ValidTo

kms:ViaService

ListAliases

kms:ListAliases

IAM policy

*

None

ListGrants

kms:ListGrants

Key policy

CMK

arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID

kms:CallerAccount

kms:ViaService

ListKeyPolicies

kms:ListKeyPolicies

Key policy

CMK

arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID

kms:CallerAccount

kms:ViaService

ListKeys

kms:ListKeys

IAM policy

*

None

ListResourceTags

kms:ListResourceTags

Key policy

CMK

arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID

kms:CallerAccount

kms:ViaService

ListRetirableGrants

kms:ListRetirableGrants

IAM policy

*

None

PutKeyPolicy

kms:PutKeyPolicy

Key policy

CMK

arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID

kms:BypassPolicyLockoutSafetyCheck

kms:CallerAccount

kms:ViaService

ReEncrypt

kms:ReEncryptFrom

kms:ReEncryptTo

To use this operation, the caller needs permission on two CMKs:

kms:ReEncryptFrom on the CMK used to decrypt
kms:ReEncryptTo on the CMK used to encrypt

Key policy

CMK

arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID

kms:CallerAccount

kms:EncryptionContext:

kms:EncryptionContextKeys

kms:ReEncryptOnSameKey

kms:ViaService

RetireGrant

Permission to retire a grant is specified in the grant. You cannot control access to this operation in a policy. For more information, see RetireGrant in the AWS Key Management Service API Reference.

Not applicable

RevokeGrant

kms:RevokeGrant

Key policy

CMK

arn:aws:kms:AWS_region:AWS_account_ID:key/CMK_key_ID

kms:CallerAccount

kms:ViaService

ScheduleKeyDeletion

kms:ScheduleKeyDeletion

Key policy

CMK