AWS KMS permissions

The Actions and Resources Table is designed to help you define access control in key policies and IAM policies.

Note

You might have to scroll horizontally or vertically to see all of the data in the table.

Actions and permissions	Policy type	Cross-account use	Resources (for IAM policies)	AWS KMS condition keys
CancelKeyDeletion `kms:CancelKeyDeletion`	Key policy	No	CMK	Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
ConnectCustomKeyStore `kms:ConnectCustomKeyStore`	IAM policy	No	`*`	kms:CallerAccount
CreateAlias `kms:CreateAlias` To use this operation, the caller needs `kms:CreateAlias` permission on two resources: The alias (in an IAM policy) The CMK (in a key policy) For details, see Controlling access to aliases.	IAM policy (for the alias)	No	Alias	None (when controlling access to the alias)
	Key policy (for the CMK)	No	CMK	Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
CreateCustomKeyStore `kms:CreateCustomKeyStore`	IAM policy	No	`*`	kms:CallerAccount
CreateGrant `kms:CreateGrant`	Key policy	Yes	CMK	Encryption context conditions: kms:EncryptionContext:context-key kms:EncryptionContextKeys Grant conditions: kms:GrantConstraintType kms:GranteePrincipal kms:GrantIsForAWSResource kms:GrantOperations kms:RetiringPrincipal Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
CreateKey `kms:CreateKey`	IAM policy	No	`*`	kms:BypassPolicyLockoutSafetyCheck kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ViaService Conditions for tagging: aws:RequestTag/tag-key (AWS global condition key) aws:ResourceTag/tag-key (AWS global condition key) aws:TagKeys (AWS global condition key)
Decrypt `kms:Decrypt`	Key policy	Yes	CMK	Conditions for cryptographic operations kms:EncryptionAlgorithm kms:RequestAlias Encryption context conditions: kms:EncryptionContext:context-key kms:EncryptionContextKeys Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
DeleteAlias `kms:DeleteAlias` To use this operation, the caller needs `kms:DeleteAlias` permission on two resources: The alias (in an IAM policy) The CMK (in a key policy) For details, see Controlling access to aliases.	IAM policy (for the alias)	No	Alias	None (when controlling access to the alias)
	Key policy (for the CMK)	No	CMK	Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
DeleteCustomKeyStore `kms:DeleteCustomKeyStore`	IAM policy	No	`*`	kms:CallerAccount
DeleteImportedKeyMaterial `kms:DeleteImportedKeyMaterial`	Key policy	No	CMK	Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
DescribeCustomKeyStores `kms:DescribeCustomKeyStores`	IAM policy	No	`*`	kms:CallerAccount
DescribeKey `kms:DescribeKey`	Key policy	Yes	CMK	Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService Other conditions: kms:RequestAlias
DisableKey `kms:DisableKey`	Key policy	No	CMK	Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
DisableKeyRotation `kms:DisableKeyRotation`	Key policy	No	CMK	Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
DisconnectCustomKeyStore `kms:DisconnectCustomKeyStore`	IAM policy	No	`*`	kms:CallerAccount
EnableKey `kms:EnableKey`	Key policy	No	CMK	Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
EnableKeyRotation `kms:EnableKeyRotation`	Key policy	No	CMK (symmetric only)	Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
Encrypt `kms:Encrypt`	Key policy	Yes	CMK	Conditions for cryptographic operations kms:EncryptionAlgorithm kms:RequestAlias Encryption context conditions: kms:EncryptionContext:context-key kms:EncryptionContextKeys Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
GenerateDataKey `kms:GenerateDataKey`	Key policy	Yes	CMK (symmetric only)	Conditions for cryptographic operations kms:EncryptionAlgorithm kms:RequestAlias Encryption context conditions: kms:EncryptionContext:context-key kms:EncryptionContextKeys Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
GenerateDataKeyPair `kms:GenerateDataKeyPair`	Key policy	Yes	CMK (symmetric only) `GenerateDataKeyPair` and `GenerateDataKeyPairWithoutPlaintext` generate an asymmetric data key pair that is protected by a symmetric CMK.	Conditions for data key pairs: kms:DataKeyPairSpec Conditions for cryptographic operations kms:EncryptionAlgorithm kms:RequestAlias Encryption context conditions: kms:EncryptionContext:context-key kms:EncryptionContextKeys Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
GenerateDataKeyPairWithoutPlaintext `kms:GenerateDataKeyPairWithoutPlaintext`	Key policy	Yes	CMK (symmetric only) `GenerateDataKeyPair` and `GenerateDataKeyPairWithoutPlaintext` generate an asymmetric data key pair that is protected by a symmetric CMK.	Conditions for data key pairs: kms:DataKeyPairSpec Conditions for cryptographic operations kms:EncryptionAlgorithm kms:RequestAlias Encryption context conditions: kms:EncryptionContext:context-key kms:EncryptionContextKeys Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
GenerateDataKeyWithoutPlaintext `kms:GenerateDataKeyWithoutPlaintext`	Key policy	Yes	CMK (symmetric only)	Conditions for cryptographic operations kms:EncryptionAlgorithm kms:RequestAlias Encryption context conditions: kms:EncryptionContext:context-key kms:EncryptionContextKeys Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
GenerateRandom `kms:GenerateRandom`	IAM policy	N/A	`*`	None
GetKeyPolicy `kms:GetKeyPolicy`	Key policy	No	CMK	Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
GetKeyRotationStatus `kms:GetKeyRotationStatus`	Key policy	Yes	CMK (symmetric only)	Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
GetParametersForImport `kms:GetParametersForImport`	Key policy	No	CMK (symmetric only)	kms:WrappingAlgorithm kms:WrappingKeySpec Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
GetPublicKey `kms:GetPublicKey`	Key policy	Yes	CMK (asymmetric only)	Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService Other conditions: kms:RequestAlias
ImportKeyMaterial `kms:ImportKeyMaterial`	Key policy	No	CMK (symmetric only)	Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService Other conditions: kms:ExpirationModel kms:ValidTo
ListAliases `kms:ListAliases`	IAM policy	No	`*`	None
ListGrants `kms:ListGrants`	Key policy	Yes	CMK	Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService Other conditions: kms:GrantIsForAWSResource
ListKeyPolicies `kms:ListKeyPolicies`	Key policy	No	CMK	Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
ListKeys `kms:ListKeys`	IAM policy	No	`*`	None
ListResourceTags `kms:ListResourceTags`	Key policy	No	CMK	Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
ListRetirableGrants `kms:ListRetirableGrants`	IAM policy	The specified principal must be in the local account, but the operation returns grants in all accounts.	`*`	None
PutKeyPolicy `kms:PutKeyPolicy`	Key policy	No	CMK	Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService Other conditions: kms:BypassPolicyLockoutSafetyCheck
ReEncrypt `kms:ReEncryptFrom` `kms:ReEncryptTo` To use this operation, the caller needs permission on two CMKs: `kms:ReEncryptFrom` on the CMK used to decrypt `kms:ReEncryptTo` on the CMK used to encrypt	Key policy	Yes	CMK	Conditions for cryptographic operations kms:EncryptionAlgorithm kms:RequestAlias Encryption context conditions: kms:EncryptionContext:context-key kms:EncryptionContextKeys Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService Other conditions: kms:ReEncryptOnSameKey
ReplicateKey `kms:ReplicateKey` To use this operation, the caller needs the following permissions: `kms:ReplicateKey` on the multi-Region primary key `kms:CreateKey` in an IAM policy in the replica Region	Key policy	No	CMK	Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService Other conditions: kms:ReplicaRegion
RetireGrant `kms:RetireGrant` Permission to retire a grant is determined primarily by the grant. A policy alone cannot allow access to this operation. For more information, see Retiring and revoking grants.	IAM policy (This permission is not effective in a key policy.)	Yes	CMK	kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key)
RevokeGrant `kms:RevokeGrant`	Key policy	Yes	CMK	Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService Other conditions: kms:GrantIsForAWSResource
ScheduleKeyDeletion `kms:ScheduleKeyDeletion`	Key policy	No	CMK	Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
Sign `kms:Sign`	Key policy	Yes	CMK (asymmetric only)	Conditions for signing and verification: kms:MessageType kms:RequestAlias kms:SigningAlgorithm Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
TagResource `kms:TagResource`	Key policy	No	CMK	Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService Conditions for tagging: aws:RequestTag/tag-key (AWS global condition key) aws:TagKeys (AWS global condition key)
UntagResource `kms:UntagResource`	Key policy	No	CMK	Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService Conditions for tagging: aws:RequestTag/tag-key (AWS global condition key) aws:TagKeys (AWS global condition key)
UpdateAlias `kms:UpdateAlias` To use this operation, the caller needs `kms:UpdateAlias` permission on three resources: The alias The currently associated CMK The newly associated CMK For details, see Controlling access to aliases.	IAM policy (for the alias)	No	Alias	None (when controlling access to the alias)
	Key policy (for the CMKs)	No	CMK	Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
UpdateCustomKeyStore `kms:UpdateCustomKeyStore`	IAM policy	No	`*`	kms:CallerAccount
UpdateKeyDescription `kms:UpdateKeyDescription`	Key policy	No	CMK	Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
UpdatePrimaryRegion `kms:UpdatePrimaryRegion` To use this operation, the caller needs `kms:UpdatePrimaryRegion` permission on both the multi-Region primary key that will become a replica key and the multi-Region replica key that will become the primary key.	Key policy	No	CMK	Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService Other conditions kms:PrimaryRegion
Verify `kms:Verify`	Key policy	Yes	CMK (asymmetric only)	Conditions for signing and verification: kms:MessageType kms:RequestAlias kms:SigningAlgorithm Conditions for CMK operations: kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService

The columns in this table provide the following information:

Actions and permissions lists each AWS KMS API operation and the permission that allows the operation. You specify the operation in Action element of a policy statement.
Policy type indicates whether the permission can be used in a key policy or IAM policy.

Key policy means that you can specify the permission in the key policy. When the key policy contains the policy statement that enables IAM policies, you can specify the permission in an IAM policy.

IAM policy means that you can specify the permission only in an IAM policy.
Cross-account use shows the operations that authorized users can perform on resources in a different AWS account.

A value of Yes means that principals can perform the operation on resources in a different AWS account.

A value of No means that principals can perform the operation only on resources in their own AWS account.

If you give a principal in a different account a permission that can't be used on a cross-account resource, the permission is not effective. For example, if you give a principal in a different account kms:TagResource permission to a CMK in your account, their attempts to tag the CMK in your account will fail.
Resources lists the AWS KMS resources to which the permissions apply. AWS KMS supports two resource types: a customer master key (CMK) and an alias. In a key policy, the value of the Resource element is always *, which indicates the CMK to which the key policy is attached.

Use the following values to represent an AWS KMS resource in an IAM policy.

CMK

When the resource is a customer master key (CMK), use its key ARN. For help, see Finding the key ID and ARN.

arn:AWS_partition_name:kms:AWS_Region:AWS_account_ID:key/key_ID

For example:

arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

Alias

When the resource is an alias, use its alias ARN. For help, see Finding the alias name and alias ARN.

arn:AWS_partition_name:kms:AWS_region:AWS_account_ID:alias/alias_name

For example:

arn:aws:kms:us-west-2:111122223333:alias/ExampleAlias

* (asterisk)

When the permission doesn't apply to a particular resource (CMK or alias), use an asterisk (*).

In an IAM policy for an AWS KMS permission, an asterisk in the Resource element indicates all AWS KMS resources (CMKs and aliases). You can also use an asterisk in the Resource element when the AWS KMS permission doesn't apply to any particular CMKs or aliases. For example, when allowing or denying kms:CreateKey or kms:ListKeys permission, you can set the Resource element to * or to an account-specific variation, such as arn:AWS_partition_name:kms:AWS_region:AWS_account_ID:*.
AWS KMS condition keys lists the AWS KMS condition keys that you can use to control access to the operation. You specify conditions in a policy's Condition element. For more information, see AWS KMS condition keys. This column also includes AWS global condition keys that are supported by AWS KMS, but not by all AWS services.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Allowing cross-account access to a CMK

Using policy conditions