Using Policy Conditions with AWS KMS
You can specify conditions in the key policies and IAM policies that control access to AWS KMS resources. The policy statement is effective only when the conditions are true. For example, you might want a policy statement to take effect only after a specific date. Or, you might want a policy statement to control access only when a specific value appears in an API request.
To specify conditions, you use predefined condition keys in the
Condition element of a policy statement with IAM condition policy
operators. Some condition keys apply generally to AWS; others are specific to
AWS KMS.
AWS Global Condition Keys
AWS provides global condition
keys, a set of predefined condition keys for all AWS services that use IAM for
access control. For example, you can use the aws:PrincipalType condition key to
allow access only when the principal in the request is the type you specify.
AWS KMS supports all global condition keys, including the aws:TagKeys and
aws:RequestTag condition keys that control access based on the resource tag in
the request. This condition key is supported by some, but not all, AWS services.
Topics
Using the IP Address Condition in Policies with AWS KMS Permissions
You can use AWS KMS to protect your data in an integrated AWS service. But use caution when specifying the IP address condition operators or the aws:SourceIp condition key in
the same policy statement that allows or denies access to AWS KMS. For example, the
policy in
AWS: Denies Access
to AWS Based on the Source IP restricts AWS actions to requests from the specified
IP range.
Consider this scenario:
-
You attach a policy like the one shown at AWS: Denies Access to AWS Based on the Source IP to an IAM user. You set the value of the
aws:SourceIpcondition key to the range of IP addresses for the user's company. This IAM user has other policies attached that allow it to use Amazon EBS, Amazon EC2, and AWS KMS. -
The user attempts to attach an encrypted EBS volume to an EC2 instance. This action fails with an authorization error even though the user has permission to use all the relevant services.
Step 2 fails because the request to AWS KMS to decrypt the volume's encrypted data key comes from an IP address that is associated with the Amazon EC2 infrastructure. To succeed, the request must come from the IP address of the originating user. Because the policy in step 1 explicitly denies all requests from IP addresses other than those specified, Amazon EC2 is denied permission to decrypt the EBS volume's encrypted data key.
Also, the aws:sourceIP condition key is not effective when the request
comes from an Amazon VPC endpoint. To
restrict requests to a VPC endpoint, including an AWS KMS VPC
endpoint, use the aws:sourceVpce or aws:sourceVpc condition
keys. For more information, see VPC Endpoints - Controlling
the Use of Endpoints in the Amazon VPC User
Guide.
Using VPC Endpoint Conditions in Policies with AWS KMS Permissions
AWS KMS supports Amazon Virtual Private Cloud (Amazon VPC) endpoints that are powered by AWS PrivateLink. You can use the following global condition keys in IAM policies to allow or deny access to a particular VPC or VPC endpoint. You can also use these global condition keys in AWS KMS key policies to restrict access to AWS KMS CMKs to requests from the VPC or VPC endpoint.
-
aws:SourceVpclimits access to requests from the specified VPC. -
aws:SourceVpcelimits access to requests from the specified VPC endpoint.
If you use these condition keys in a key policy statement that allows or denies access to AWS KMS CMKs, you might inadvertently deny access to services that use AWS KMS on your behalf.
Take care to avoid a situation like the IP address condition keys example. If you restrict requests for a CMK to a VPC or VPC endpoint, calls to AWS KMS from an integrated service, such as Amazon S3 or Amazon EBS, might fail. This can happen even if the source request ultimately originates in the VPC or from the VPC endpoint.
AWS KMS Condition Keys
AWS KMS provides an additional set of predefined condition keys that you can use in
key
policies and IAM policies. These condition keys are specific to AWS KMS. For example,
you can
use the kms:EncryptionContext condition key to require a particular encryption context when controlling access to an AWS KMS
customer master key (CMK).
The following topics describe each AWS KMS condition key and include example policy statements that demonstrate policy syntax.
Topics
- kms:BypassPolicyLockoutSafetyCheck
- kms:CallerAccount
- kms:EncryptionContext:
- kms:EncryptionContextKeys
- kms:ExpirationModel
- kms:GrantConstraintType
- kms:GrantIsForAWSResource
- kms:GrantOperations
- kms:GranteePrincipal
- kms:KeyOrigin
- kms:ReEncryptOnSameKey
- kms:RetiringPrincipal
- kms:ValidTo
- kms:ViaService
- kms:WrappingAlgorithm
- kms:WrappingKeySpec
kms:BypassPolicyLockoutSafetyCheck
| AWS KMS Condition Keys | Condition Type | API Operations | Policy Type |
|---|---|---|---|
|
|
Boolean |
|
CreateKey: IAM policies only PutKeyPolicy: IAM and key policies |
The kms:BypassPolicyLockoutSafetyCheck condition key controls access to the
CreateKey and PutKeyPolicy operations based on the value
of the BypassPolicyLockoutSafetyCheck parameter in the request.
The following example IAM policy statement prevents users from bypassing the policy
lockout safety check by denying them permission to create CMKs when the value of the
BypassPolicyLockoutSafetyCheck parameter in the CreateKey request
is true.
{ "Version": "2012-10-17", "Statement": { "Effect": "Deny", "Action": "kms:CreateKey", "Resource": "*", "Condition": { "Bool": { "kms:BypassPolicyLockoutSafetyCheck": true } } } }
You can also use the kms:BypassPolicyLockoutSafetyCheck condition key in an
IAM policy or key policy to control access to the PutKeyPolicy operation. The
following example policy statement from a key policy prevents users from bypassing
the
policy lockout safety check when changing the policy of a CMK.
Instead of using an explicit Deny, this policy statement uses
Allow with the Null condition operator to allow access only when the request does
not include the BypassPolicyLockoutSafetyCheck parameter. When the parameter is
not used, the default value is false. This slightly weaker policy statement can
be overriden in the rare case that a bypass is necessary.
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "kms:PutKeyPolicy", "Resource": "*", "Condition": { "Null": { "kms:BypassPolicyLockoutSafetyCheck": true } } } }
See Also
kms:CallerAccount
| AWS KMS Condition Keys | Condition Type | API Operations | Policy Type |
|---|---|---|---|
|
|
String |
The |
Key policies only |
You can use this condition key to allow or deny access to all identities (IAM users
and roles) in an AWS account. In key policies, you use the Principal element
to specify the identities to which the policy statement applies. The syntax for the
Principal element does not provide a way to specify all identities in an AWS
account. But you can achieve this effect by combining this condition key with a
Principal element that specifies all AWS identities.
For example, the following policy statement demonstrates how to use the
kms:CallerAccount condition key. This policy statement is in the key policy for
the AWS managed CMK for Amazon EBS. It combines a Principal element that specifies
all AWS identities with the kms:CallerAccount condition key to effectively
allow access to all identities in AWS account 111122223333. It contains an
additional AWS KMS condition key (kms:ViaService) to further limit the
permissions by only allowing requests that come through Amazon EBS. For more information,
see
kms:ViaService.
{ "Sid": "Allow access through EBS for all principals in the account that are authorized to use EBS", "Effect": "Allow", "Principal": {"AWS": "*"}, "Condition": { "StringEquals": { "kms:CallerAccount": "111122223333", "kms:ViaService": "ec2.us-west-2.amazonaws.com" } }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:CreateGrant", "kms:DescribeKey" ], "Resource": "*" }
kms:EncryptionContext:
| AWS KMS Condition Keys | Condition Type | API Operations | Policy Type |
|---|---|---|---|
|
|
String |
|
IAM and key policies |
You can use the kms:EncryptionContext: condition key prefix to control
access to a CMK based on the encryption context in a request for a cryptographic operation.
Use this condition key prefix to evaluate both the key and the value in the encryption
context pair. To evaluate only the encryption context keys, use the kms:EncryptionContextKeys condition
key.
An encryption context is a set of nonsecret key–value pairs that you can include in a request for any AWS KMS cryptographic operation (Encrypt, Decrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, and ReEncrypt) and the CreateGrant operation. When you specify an encryption context in an encryption operation, you must specify the same encryption context in the decryption operation. Otherwise, the decryption request fails.
To use the kms:EncryptionContext: condition key prefix, replace the
encryption_context_key placeholder with the encryption context key. Replace the
encryption_context_value placeholder with the encryption context value.
"kms:EncryptionContext:encryption_context_key":
"encryption_context_value"
For example, the following condition key specifies an encryption context in which
the
key is AppName and the value is ExampleApp.
"kms:EncryptionContext:AppName": "ExampleApp"
The following example key policy statement uses this condition key. This policy allows
the principal to use the CMK in a GenerateDataKey request only when the
encryption context in the request is "AppName": "ExampleApp".
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/RoleForExampleApp" }, "Action": "kms:GenerateDataKey", "Resource": "*", "Condition": { "StringEquals": { "kms:EncryptionContext:AppName": "ExampleApp" } } }
To require more than one encryption context pair, you can include multiple instances
of
the kms:EncryptionContext: condition. For example, the following example policy
statement requires both of the following encryption context pairs. The order in which
the
pairs are specified does not matter.
-
"AppName": "ExampleApp" -
"FilePath": "/var/opt/secrets/"
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/RoleForExampleApp" }, "Action": "kms:GenerateDataKey", "Resource": "*", "Condition": { "StringEquals": { "kms:EncryptionContext:AppName": "ExampleApp", "kms:EncryptionContext:FilePath": "/var/opt/secrets/" } } }
The encryption context that is specified in a decryption operation must be an exact, case-sensitive match for the encryption context that is specified in the encryption operation. Only the order of pairs in an encryption context with multiple pair can vary.
However, in policy conditions, the condition key is not case sensitive. The case
sensitivity of the condition value is determined by the policy condition operator that you use, such as StringEquals or
StringEqualsIgnoreCase.
As such, the condition key, which consists of the kms:EncryptionContext:
prefix and the encryption_context_keyencryption_context_value
For example, the following policy statement allows the operation when the encryption
context includes an Appname key, regardless of its capitalization. The
StringEquals condition requires that ExampleApp be capitalized as it
is specified.
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/RoleForExampleApp" }, "Action": "kms:Decrypt", "Resource": "*", "Condition": { "StringEquals": { "kms:EncryptionContext:Appname": "ExampleApp" } } }
To require a case-sensitive encryption context key, use the kms:EncryptionContextKeys policy
condition with a case-sensitive condition operator, such as StringEquals. In this
policy condition, because the encryption context key is the policy condition value,
its case
sensitivity is determined by the condition operator.
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/RoleForExampleApp" }, "Action": "kms:GenerateDataKey", "Resource": "*", "Condition": { "StringEquals": { "kms:EncryptionContextKey": "AppName" } } }
To require a case-sensitive evaluation of both the encryption context key and value,
use
the kms:EncryptionContextKey and kms:EncryptionContext: policy
conditions together in the same policy statement. For example, in the following example
policy
statement, because the StringEquals operator is case sensitive, both the
encryption context key and the encryption context value are case sensitive.
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/RoleForExampleApp" }, "Action": "kms:GenerateDataKey", "Resource": "*", "Condition": { "StringEquals": { "kms:EncryptionContextKey": "AppName", "kms:EncryptionContext:AppName": "ExampleApp" } } }
See Also
kms:EncryptionContextKeys
| AWS KMS Condition Keys | Condition Type | API Operations | Policy Type |
|---|---|---|---|
|
|
String (list) |
|
IAM and key policies |
You can use the kms:EncryptionContextKeys condition key to control access
to a CMK based on the encryption context in a request for a cryptographic operation.
Use
this condition key prefix to evaluate only the key in each encryption context pair.
To
evaluate both the key and the value,, use the kms:EncryptionContext: condition key
prefix.
You can use this condition key to control access based on the encryption context in the AWS KMS API request. Encryption context is a set of key–value pairs that you can include in AWS KMS cryptographic operations (Encrypt, Decrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, and ReEncrypt) and the CreateGrant operation.
The following example policy statement uses the kms:EncryptionContextKeys
condition key to allow use of a CMK for the specified operations only when the encryption
context in the request includes the AppName key, regardless of its value.
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/RoleForExampleApp" }, "Action": [ "kms:Encrypt", "kms:GenerateDataKey*" ], "Resource": "*", "Condition": { "StringEquals": { "kms:EncryptionContextKeys": "AppName" } } }
Because the StringEquals condition operation is case sensitive, the previous policy statement
requires the spelling and case of the encryption context key. But you can use a condition
operator that ignores the case of the key, such as
StringEqualsIgnoreCase.
You can specify multiple encryption context keys in each condition. For example, the
following policy statement allows the specified operations only when the encryption
context
in the request includes both the AppName and FilePath keys,
regardless of their values. The order of keys in the encryption context does not
matter.
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/RoleForExampleApp" }, "Action": [ "kms:Encrypt", "kms:GenerateDataKey*" ], "Resource": "*", "Condition": { "StringEquals": { "kms:EncryptionContextKeys": [ "AppName", "FilePath" ] } } }
You can also use the kms:EncryptionContextKeys condition key to require an
encryption context in cryptographic operations that use the CMK.
The following example key policy statement uses the
kms:EncryptionContextKeys condition key with the Null condition operator to allow
access to CMK only when the kms:EncryptionContextKeys condition key exists (is
not null) in the API request. It does not check the keys or values of the encryption
context, only that the encryption context exists.
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/RoleForExampleApp" }, "Action": [ "kms:Encrypt", "kms:GenerateDataKey*" ], "Resource": "*", "Condition": { "Null": { "kms:EncryptionContextKeys": false } } }
See Also
kms:ExpirationModel
| AWS KMS Condition Keys | Condition Type | API Operations | Policy Type |
|---|---|---|---|
|
|
String |
|
IAM and key policies |
The kms:ExpirationModel condition key controls access to the ImportKeyMaterial operation based on
the value of the ExpirationModel parameter in the request.
ExpirationModel is an optional parameter that determines whether the
imported key material expires. Valid values are KEY_MATERIAL_EXPIRES and
KEY_MATERIAL_DOES_NOT_EXPIRE. KEY_MATERIAL_EXPIRES is the default
value.
The expiration date and time is determined by the value of the ValidTo parameter. The ValidTo parameter is required unless the value
of the ExpirationModel parameter is KEY_MATERIAL_DOES_NOT_EXPIRE.
You can also use the kms:ValidTo condition
key to require a particular expiration date as a condition for access.
The following example policy statement uses the kms:ExpirationModel
condition key to allow a user to import key material into a CMK only when the request
includes the ExpirationModel parameter and its value is
KEY_MATERIAL_DOES_NOT_EXPIRE.
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/ExampleUser" }, "Action": "kms:ImportKeyMaterial", "Resource": "*", "Condition": { "StringEquals": { "kms:ExpirationModel": "KEY_MATERIAL_DOES_NOT_EXPIRE" } } }
You can also use the kms:ExpirationModel condition key to allow a user to
import key material only when the key material expires, without specifying an expiration date in the condition. The
following example policy statement uses the kms:ExpirationModel condition key
with the Null condition operator to allow a user to import key material only when the request
does not have an ExpirationModel parameter.
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/ExampleUser" }, "Action": "kms:ImportKeyMaterial", "Resource": "*", "Condition": { "Null": { "kms:ExpirationModel": true } } }
See Also
kms:GrantConstraintType
| AWS KMS Condition Keys | Condition Type | API Operations | Policy Type |
|---|---|---|---|
|
|
String |
|
IAM and key policies |
You can use this condition key to control access to the CreateGrant operation based on the type of grant constraint in the request.
When you create a grant, you can optionally specify a grant constraint to allow the
operations that the grant permit only when a particular encryption context is present.
The
grant constraint can be one of two types: EncryptionContextEquals or
EncryptionContextSubset. You can use this condition key to check that the
request contains one type or the other.
The following example policy statement uses the kms:GrantConstraintType
condition key to allow a user to create grants only when the request includes an
EncryptionContextEquals grant constraint. The example shows a policy statement
in a key policy.
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/ExampleUser" }, "Action": "kms:CreateGrant", "Resource": "*", "Condition": { "StringEquals": { "kms:GrantConstraintType": "EncryptionContextEquals" } } }
See Also
kms:GrantIsForAWSResource
| AWS KMS Condition Keys | Condition Type | API Operations | Policy Type |
|---|---|---|---|
|
|
Boolean |
|
IAM and key policies |
You can use this condition key to control access to the CreateGrant operation based on whether the
grant is created in the context of an AWS service
integrated with AWS KMS. This condition key is set to true when one of the
following integrated services is used to create the grant:
-
Amazon Elastic Block Store (Amazon EBS) – For more information, see How Amazon Elastic Block Store (Amazon EBS) Uses AWS KMS.
-
Amazon Relational Database Service (Amazon RDS) – For more information, see How Amazon Relational Database Service (Amazon RDS) Uses AWS KMS.
-
Amazon Redshift – For more information, see How Amazon Redshift Uses AWS KMS.
-
AWS Certificate Manager (ACM) – For more information, see ACM Private Key Security in the AWS Certificate Manager User Guide.
For example, the following policy statement uses the
kms:GrantIsForAWSResource condition key to allow a user to create grants only
through one of the integrated services in the preceding list. It does not allow the
user to
create grants directly. The example shows a policy statement in a key policy.
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/ExampleUser" }, "Action": "kms:CreateGrant", "Resource": "*", "Condition": { "Bool": { "kms:GrantIsForAWSResource": true } } }
See Also
kms:GrantOperations
| AWS KMS Condition Keys | Condition Type | API Operations | Policy Type |
|---|---|---|---|
|
|
String |
|
IAM and key policies |
You can use this condition key to control access to the CreateGrant operation based on the grant operations in the request. For example, you can allow a user to create grants that delegate permission to encrypt but not decrypt.
The following example policy statement uses the kms:GrantOperations
condition key to allow a user to create grants that delegate permission to encrypt
and
reencrypt when this CMK is the destination CMK. The example shows a policy statement
in a
key policy.
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/ExampleUser" }, "Action": "kms:CreateGrant", "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "kms:GrantOperations": [ "Encrypt", "ReEncryptTo" ] } } }
See Also
kms:GranteePrincipal
| AWS KMS Condition Keys | Condition Type | API Operations | Policy Type |
|---|---|---|---|
|
|
String |
|
IAM and key policies |
You can use this condition key to control access to the CreateGrant operation based on the value of
the GranteePrincipal parameter in the request. For example, you can allow a user to
create grants to use a CMK only when the grantee principal in the CreateGrant
request matches the principal specified in the condition statement.
The following example policy statement uses the kms:GranteePrincipal
condition key to allow a user to create grants for a CMK only when the grantee principal
in
the grant is the LimitedAdminRole.
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/ExampleUser" }, "Action": "kms:CreateGrant", "Resource": "*", "Condition": { "StringEquals": { "kms:GranteePrincipal": "arn:aws:iam::111122223333:role/LimitedAdminRole" } } }
See Also
kms:KeyOrigin
| AWS KMS Condition Keys | Condition Type | API Operations | Policy Type |
|---|---|---|---|
|
|
String |
|
IAM policies |
You can use this condition key to control access to the CreateKey operation based on the value of the
Origin
parameter in the request. Valid values for Origin are AWS_KMS,
AWS_CLOUDHSM, and
EXTERNAL.
For example, you can allow a user to create a CMK only when the key material is
generated in KMS (AWS_KMS), only when the key material is generated in an AWS CloudHSM
cluster that is associated with a custom key
store (AWS_CLOUDHSM), or only when the key material is imported from an external source (EXTERNAL).
The following example policy statement uses the kms:KeyOrigin condition key
to allow a user to create a CMK only when the key origin is EXTERNAL, that is, the
key
material is imported.
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/ExampleUser" }, "Action": "kms:CreateKey", "Resource": "*", "Condition": { "StringEquals": { "kms:KeyOrigin": "EXTERNAL" } } }
See Also
kms:ReEncryptOnSameKey
| AWS KMS Condition Keys | Condition Type | API Operations | Policy Type |
|---|---|---|---|
|
|
Boolean |
|
IAM and key policies |
You can use this condition key to control access to the ReEncrypt operation based on whether the
request specifies a destination CMK that is the same one used for the original encryption.
For example, the following policy statement uses the kms:ReEncryptOnSameKey
condition key to allow a user to reencrypt only when the destination CMK is the same
one
used for the original encryption. The example shows a policy statement in a key
policy.
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/ExampleUser" }, "Action": "kms:ReEncrypt*", "Resource": "*", "Condition": { "Bool": { "kms:ReEncryptOnSameKey": true } } }
kms:RetiringPrincipal
| AWS KMS Condition Keys | Condition Type | API Operations | Policy Type |
|---|---|---|---|
|
|
String (list) |
|
IAM and key policies |
You can use this condition key to control access to the CreateGrant operation based on the value of
the RetiringPrincipal parameter in the request. For example, you can allow a user to
create grants to use a CMK only when the RetiringPrincipal in the
CreateGrant request matches the RetiringPrincipal in the condition
statement.
The following example policy statement allows a user to create grants for the CMK.
The
kms:RetiringPrincipal condition key restricts the permission to
CreateGrant requests where the retiring principal in the grant is either the
LimitedAdminRole or the OpsAdmin user.
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/ExampleUser" }, "Action": "kms:CreateGrant", "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "kms:RetiringPrincipal": [ "arn:aws:iam::111122223333:role/LimitedAdminRole", "arn:aws:iam::111122223333:user/OpsAdmin" ] } } }
See Also
kms:ValidTo
| AWS KMS Condition Keys | Condition Type | API Operations | Policy Type |
|---|---|---|---|
|
|
Timestamp |
|
IAM and key policies |
The kms:ValidTo condition key controls access to the ImportKeyMaterial operation based on
the value of the ValidTo parameter in the request, which determines when the imported key material
expires. The value is expressed in Unix
time.
By default, the ValidTo parameter is required in an
ImportKeyMaterial request. However, if the value of the ExpirationModel parameter is KEY_MATERIAL_DOES_NOT_EXPIRE, the
ValidTo parameter is invalid. You can also use the kms:ExpirationModel condition key to
require the ExpirationModel parameter or a specific parameter value.
The following example policy statement allows a user to import key material into a
CMK.
The kms:ValidTo condition key limits the permission to
ImportKeyMaterial requests where the ValidTo value is less than or
equal to 1546257599.0 (December 31, 2018 11:59:59 PM).
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/ExampleUser" }, "Action": "kms:ImportKeyMaterial", "Resource": "*", "Condition": { "NumericLessThanEquals": { "kms:ValidTo": "1546257599.0" } } }
See Also
kms:ViaService
| AWS KMS Condition Keys | Condition Type | API Operations | Policy Type |
|---|---|---|---|
|
|
String |
The |
IAM and key policies |
The kms:ViaService condition key limits use of an AWS KMS customer master key (CMK) to requests from specified AWS
services. You can specify one or more services in each kms:ViaService condition
key.
For example, the following statement from a key policy uses the
kms:ViaService condition key to allow a customer
managed CMK to be used for the specified actions only when the request comes from
Amazon EC2 or Amazon RDS in the US West (Oregon) region on behalf of
ExampleUser.
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/ExampleUser" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:CreateGrant", "kms:ListGrants", "kms:DescribeKey" ], "Resource": "*", "Condition": { "StringEquals": { "kms:ViaService": [ "ec2.us-west-2.amazonaws.com", "rds.us-west-2.amazonaws.com" ] } } }
You can also use a kms:ViaService condition key to deny permission to use a
CMK when the request comes from particular services. For example, the following policy
statement from a key policy uses a kms:ViaService condition key to prevent a
customer managed CMK from being used for Encrypt operations when the request
comes from AWS Lambda on behalf of ExampleUser.
{ "Effect": "Deny", "Principal": { "AWS": "arn:aws:iam::111122223333:user/ExampleUser" }, "Action": [ "kms:Encrypt" ], "Resource": "*", "Condition": { "StringEquals": { "kms:ViaService": [ "lambda.us-west-2.amazonaws.com" ] } } }
Important
When you use the kms:ViaService condition key, the service makes the
request on behalf of a principal in the AWS account. These principals must have the
following permissions:
-
Permission to use the CMK. The principal needs to grant these permissions to the integrated service so the service can use the customer managed CMK on behalf of the principal. For more information, see How AWS Services use AWS KMS.
-
Permission to use the integrated service. For details about giving users access to an AWS service that integrates with AWS KMS, consult the documentation for the integrated service.
All AWS managed CMKs use a
kms:ViaService condition key in their key policy document. This condition
allows the CMK to be used only for requests that come from the service that created
the CMK.
To see the key policy for an AWS managed CMK, use the GetKeyPolicy operation.
The kms:ViaService condition key is valid in IAM and key policy statements.
The services that you specify must be integrated
with AWS KMS and support the kms:ViaService condition key.
The following table lists AWS services that are integrated with AWS KMS, support
customer managed CMKs, and support the use of the kms:ViaService condition key
in customer managed CMKs. The services in this table might not be available in all
regions.
Services that support the kms:ViaService condition
key in customer managed CMKs
| Service Name | KMS ViaService Name |
|---|---|
| AWS Backup | backup.AWS_region.amazonaws.com
|
| Amazon Connect | connect.AWS_region.amazonaws.com
|
| AWS Database Migration Service (AWS DMS) | dms.AWS_region.amazonaws.com
|
| AWS Directory Service | directoryservice.AWS_region.amazonaws.com
|
| Amazon EC2 Systems Manager | ssm.AWS_region.amazonaws.com
|
| Amazon Elastic Block Store (Amazon EBS) | ec2.AWS_region.amazonaws.com (EBS only)
|
| Amazon Elastic File System | elasticfilesystem.AWS_region.amazonaws.com
|
| Amazon Elasticsearch Service | es.AWS_region.amazonaws.com
|
| Amazon FSx | fsx.AWS_region.amazonaws.com
|
| AWS Glue | glue.AWS_region.amazonaws.com
|
| Amazon Kinesis | kinesis.AWS_region.amazonaws.com
|
| Amazon Kinesis Video Streams | kinesisvideo.AWS_region.amazonaws.com
|
| AWS Lambda | lambda.AWS_region.amazonaws.com
|
| Amazon Lex | lex.AWS_region.amazonaws.com
|
| Amazon Managed Streaming for Kafka | kafka.AWS_region.amazonaws.com
|
| Amazon Neptune | rds.AWS_region.amazonaws.com
|
| Amazon Redshift | redshift.AWS_region.amazonaws.com
|
| Amazon Relational Database Service (Amazon RDS) | rds.AWS_region.amazonaws.com
|
| Amazon RDS Performance Insights | rds.AWS_region.amazonaws.com
|
| AWS Secrets Manager (Secrets Manager) | secretsmanager.AWS_region.amazonaws.com
|
| Amazon Simple Email Service (Amazon SES) | ses.AWS_region.amazonaws.com
|
| Amazon Simple Notification Service (Amazon SNS) | sns.AWS_region.amazonaws.com
|
| Amazon Simple Storage Service (Amazon S3) | s3.AWS_region.amazonaws.com
|
| AWS Snowball | importexport.AWS_region.amazonaws.com
|
| Amazon SQS | sqs.AWS_region.amazonaws.com
|
| Amazon WorkMail | workmail.AWS_region.amazonaws.com
|
| Amazon WorkSpaces | workspaces.AWS_region.amazonaws.com
|
| AWS X-Ray | xray.AWS_region.amazonaws.com
|
kms:WrappingAlgorithm
| AWS KMS Condition Keys | Condition Type | API Operations | Policy Type |
|---|---|---|---|
|
|
String |
|
IAM and key policies |
This condition key controls access to the GetParametersForImport operation based on the value of the WrappingAlgorithm parameter in the request. You can use this condition to require principals to use a particular algorithm to encrypt key material during the import process. Requests for the required public key and import token fail when they specify a different wrapping algorithm.
The following example policy statement uses the kms:WrappingAlgorithm
condition key to give the example user permission to call the
GetParametersForImport operation, but prevents them from using the
RSAES_OAEP_SHA_1 wrapping algorithm. When the WrappingAlgorithm in
the GetParametersForImport request is RSAES_OAEP_SHA_1, the
operation fails.
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/ExampleUser" }, "Action": "kms:GetParametersForImport", "Resource": "*", "Condition": { "StringNotEquals": { "kms:WrappingAlgorithm": "RSAES_OAEP_SHA_1" } } }
See Also
kms:WrappingKeySpec
| AWS KMS Condition Keys | Condition Type | API Operations | Policy Type |
|---|---|---|---|
|
|
String |
|
IAM and key policies |
This condition key controls access to the GetParametersForImport operation based on the value of the WrappingKeySpec parameter in the request. You can use this condition to require principals to use a particular type of public key during the import process. If the request specifies a different key type, it fails.
Because the only valid value for the WrappingKeySpec parameter value is
RSA_2048, preventing users from using this value effectively prevents them from
using the GetParametersForImport operation.
The following example policy statement uses the kms:WrappingAlgorithm
condition key to require that the WrappingKeySpec in the request is
RSA_2048.
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/ExampleUser" }, "Action": "kms:GetParametersForImport", "Resource": "*", "Condition": { "StringEquals": { "kms:WrappingKeySpec": "RSA_2048" } } }
See Also
