AWS KMS API permissions: Actions and resources reference

The Actions and Resources Table is designed to help you define access control in key policies and IAM policies. The columns provide the following information:

API operations and actions (permissions) lists each AWS KMS API operation and the corresponding action (permission) that allows the operation. You specify actions in a policy's Action element.
Policy type indicates whether the permission can be used in a key policy or IAM policy. When the type is key policy, you can specify the permission explicitly in the key policy. Or, if the key policy contains the policy statement that enables IAM policies, you can specify the permission in an IAM policy. When the type is IAM policy, you can specify the permission only in an IAM policy.
Resources lists the AWS KMS resources to which the permissions apply. AWS KMS supports two resource types: a customer master key (CMK) and an alias. In a key policy, the value of the Resource element is always *, which indicates the CMK to which the key policy is attached.

Use the following values to represent an AWS KMS resource in an IAM policy.

CMK

When the resource is a customer master key (CMK), use its key ARN. For help, see Finding the key ID and ARN.

arn:AWS_partition_name:kms:AWS_Region:AWS_account_ID:key/key_ID

For example:

arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

Alias

When the resource is an alias, use its alias ARN. To get the alias ARN, use the ListAliases operation.

arn:AWS_partition_name:kms:AWS_region:AWS_account_ID:alias/alias_name

For example:

arn:aws:kms:us-west-2:111122223333:alias/ExampleAlias

* (asterisk)

When the permission doesn't apply to a particular resource (CMK or alias), use an asterisk (*).

In an IAM policy for an AWS KMS permission, an asterisk in the Resource element indicates all AWS KMS resources (CMKs and aliases). You can also use an asterisk in the Resource element when the AWS KMS permission doesn't apply to any particular CMKs or aliases. For example, when allowing or denying kms:CreateKey or kms:ListKeys permission, you can set the Resource element to * or to an account-specific variation, such as arn:AWS_partition_name:kms:AWS_region:AWS_account_ID:*.
AWS KMS condition keys lists the AWS KMS condition keys that you can use to control access to the operation. You specify conditions in a policy's Condition element. For more information, see AWS KMS condition keys. This column also includes AWS global condition keys that are supported by AWS KMS, but not by all AWS services.

AWS KMS API operations and permissions
API operations and actions (permissions)	Policy type	Resources (for IAM policies)	AWS KMS condition keys
CancelKeyDeletion `kms:CancelKeyDeletion`	Key policy	CMK	kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ViaService
ConnectCustomKeyStore `kms:ConnectCustomKeyStore`	IAM policy	`*`	None
CreateAlias `kms:CreateAlias` To use this operation, the caller needs `kms:CreateAlias` permission on two resources: The alias (in an IAM policy) The CMK (in a key policy) For details, see Controlling access to aliases.	IAM policy (for the alias)	Alias	None (when controlling access to the alias)
	Key policy (for the CMK)	CMK	kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ViaService
CreateCustomKeyStore `kms:CreateCustomKeyStore`	IAM policy	`*`	None
CreateGrant `kms:CreateGrant`	Key policy	CMK	kms:EncryptionContext: kms:EncryptionContextKeys kms:GrantConstraintType kms:GranteePrincipal kms:GrantIsForAWSResource kms:GrantOperations kms:RetiringPrincipal kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ViaService
CreateKey `kms:CreateKey`	IAM policy	`*`	kms:BypassPolicyLockoutSafetyCheck kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin
Decrypt `kms:Decrypt`	Key policy	CMK	kms:EncryptionAlgorithm kms:EncryptionContext: kms:EncryptionContextKeys kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ViaService
DeleteAlias `kms:DeleteAlias` To use this operation, the caller needs `kms:DeleteAlias` permission on two resources: The alias (in an IAM policy) The CMK (in a key policy) For details, see Controlling access to aliases.	IAM policy (for the alias)	Alias	None (when controlling access to the alias)
	Key policy (for the CMK)	CMK	kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ViaService
DeleteCustomKeyStore `kms:DeleteCustomKeyStore`	IAM policy	`*`	None
DeleteImportedKeyMaterial `kms:DeleteImportedKeyMaterial`	Key policy	CMK	kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ViaService
DescribeCustomKeyStores `kms:DescribeCustomKeyStores`	IAM policy	`*`	None
DescribeKey `kms:DescribeKey`	Key policy	CMK	kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ViaService
DisableKey `kms:DisableKey`	Key policy	CMK	kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ViaService
DisableKeyRotation `kms:DisableKeyRotation`	Key policy	CMK	kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ViaService
DisconnectCustomKeyStore `kms:DisconnectCustomKeyStore`	IAM policy	`*`	None
EnableKey `kms:EnableKey`	Key policy	CMK	kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ViaService
EnableKeyRotation `kms:EnableKeyRotation`	Key policy	CMK (symmetric only)	kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ViaService
Encrypt `kms:Encrypt`	Key policy	CMK	kms:EncryptionAlgorithm kms:EncryptionContext: kms:EncryptionContextKeys kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ViaService
GenerateDataKey `kms:GenerateDataKey`	Key policy	CMK (symmetric only)	kms:EncryptionAlgorithm kms:EncryptionContext: kms:EncryptionContextKeys kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ViaService
GenerateDataKeyPair `kms:GenerateDataKeyPair`	Key policy	CMK (symmetric only) `GenerateDataKeyPair` and `GenerateDataKeyPairWithoutPlaintext` generate an asymmetric data key pair that is protected by a symmetric CMK.	kms:DataKeyPairSpec kms:EncryptionAlgorithm kms:EncryptionContext: kms:EncryptionContextKeys kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ViaService
GenerateDataKeyPairWithoutPlaintext `kms:GenerateDataKeyPairWithoutPlaintext`	Key policy	CMK (symmetric only) `GenerateDataKeyPair` and `GenerateDataKeyPairWithoutPlaintext` generate an asymmetric data key pair that is protected by a symmetric CMK.	kms:DataKeyPairSpec kms:EncryptionAlgorithm kms:EncryptionContext: kms:EncryptionContextKeys kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ViaService
GenerateDataKeyWithoutPlaintext `kms:GenerateDataKeyWithoutPlaintext`	Key policy	CMK (symmetric only)	kms:EncryptionAlgorithm kms:EncryptionContext: kms:EncryptionContextKeys kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ViaService
GenerateRandom `kms:GenerateRandom`	IAM policy	`*`	None
GetKeyPolicy `kms:GetKeyPolicy`	Key policy	CMK	kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ViaService
GetKeyRotationStatus `kms:GetKeyRotationStatus`	Key policy	CMK (symmetric only)	kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ViaService
GetParametersForImport `kms:GetParametersForImport`	Key policy	CMK (symmetric only)	kms:WrappingAlgorithm kms:WrappingKeySpec kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ViaService
GetPublicKey `kms:GetPublicKey`	Key policy	CMK (asymmetric only)	kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ViaService
ImportKeyMaterial `kms:ImportKeyMaterial`	Key policy	CMK (symmetric only)	kms:ExpirationModel kms:ValidTo kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ViaService
ListAliases `kms:ListAliases`	IAM policy	`*`	None
ListGrants `kms:ListGrants`	Key policy	CMK	kms:GrantIsForAWSResource kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ViaService
ListKeyPolicies `kms:ListKeyPolicies`	Key policy	CMK	kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ViaService
ListKeys `kms:ListKeys`	IAM policy	`*`	None
ListResourceTags `kms:ListResourceTags`	Key policy	CMK	kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ViaService
ListRetirableGrants `kms:ListRetirableGrants`	IAM policy	`*`	None
PutKeyPolicy `kms:PutKeyPolicy`	Key policy	CMK	kms:BypassPolicyLockoutSafetyCheck kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ViaService
ReEncrypt `kms:ReEncryptFrom` `kms:ReEncryptTo` To use this operation, the caller needs permission on two CMKs: `kms:ReEncryptFrom` on the CMK used to decrypt `kms:ReEncryptTo` on the CMK used to encrypt	Key policy	CMK	kms:EncryptionAlgorithm kms:EncryptionContext: kms:EncryptionContextKeys kms:ReEncryptOnSameKey kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ViaService
RetireGrant `kms:RetireGrant` Permission to retire a grant is determined primarily by the grant. A policy alone cannot allow access to this operation. For more information, see Retiring and revoking grants.	Key policy	CMK	None
RevokeGrant `kms:RevokeGrant`	Key policy	CMK	kms:GrantIsForAWSResource kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ViaService
ScheduleKeyDeletion `kms:ScheduleKeyDeletion`	Key policy	CMK	kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ViaService
Sign `kms:Sign`	Key policy	CMK (asymmetric only)	kms:MessageType kms:SigningAlgorithm kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ViaService
TagResource `kms:TagResource`	Key policy	CMK	aws:RequestTag (AWS global condition key) aws:TagKeys (AWS global condition key) kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ViaService
UntagResource `kms:UntagResource`	Key policy	CMK	aws:RequestTag (AWS global condition key) aws:TagKeys (AWS global condition key) kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ViaService
UpdateAlias `kms:UpdateAlias` To use this operation, the caller needs `kms:UpdateAlias` permission on three resources: The alias The currently associated CMK The newly associated CMK For details, see Controlling access to aliases.	IAM policy (for the alias)	Alias	None (when controlling access to the alias)
	Key policy (for the CMKs)	CMK	kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ViaService
UpdateCustomKeyStore `kms:UpdateCustomKeyStore`	IAM policy	`*`	None
UpdateKeyDescription `kms:UpdateKeyDescription`	Key policy	CMK	kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ViaService
Verify `kms:Verify`	Key policy	CMK (asymmetric only)	kms:MessageType kms:SigningAlgorithm kms:CallerAccount kms:CustomerMasterKeySpec kms:CustomerMasterKeyUsage kms:KeyOrigin kms:ViaService

Warning Javascript is disabled or is unavailable in your browser.

To use the AWS Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Allowing cross-account access to a CMK

Using policy conditions