Menu
AWS Key Management Service
Developer Guide

Working with Key Policies

The examples in this topic use the AWS KMS API to view and change the key policies of AWS KMS customer master keys (CMKs). For details about how to use key policies and IAM policies to manage access to your CMKs, see Authentication and Access Control for AWS KMS.

Listing Key Policy Names

To get the names of key policies for a customer master key, use the ListKeyPolicies operation. The only key policy name it returns is default.

This example uses the KMS client object that you created in Creating a Client.

JavaC#PythonRuby
Java

For details about the Java implementation, see the listKeyPolicies method in the AWS SDK for Java API Reference.

// List key policies // // Replace the following fictitious CMK ARN with a valid CMK ID or ARN String keyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; ListKeyPoliciesRequest req = new ListKeyPoliciesRequest().withKeyId(keyId); ListKeyPoliciesResult result = kmsClient.listKeyPolicies(req);
C#

For details, see the ListKeyPolicies method in the AWS SDK for .NET.

// List key policies // // Replace the following fictitious CMK ARN with a valid CMK ID or ARN String keyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; ListKeyPoliciesRequest listKeyPoliciesRequest = new ListKeyPoliciesRequest() { KeyId = keyId }; ListKeyPoliciesResponse listKeyPoliciesResponse = kmsClient.ListKeyPolicies(listKeyPoliciesRequest);
Python

For details, see the list_key_policies method in the AWS SDK for Python (Boto 3).

# List key policies # Replace the following fictitious CMK ARN with a valid CMK ID or ARN key_id = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' response = kms_client.list_key_policies( KeyId=key_id )
Ruby

For details, see the list_key_policies instance method in the AWS SDK for Ruby.

# List key policies # Replace the following fictitious CMK ARN with a valid CMK ID or ARN keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' response = kmsClient.list_key_policies({ key_id: keyId })

Getting a Key Policy

To get the key policy for a customer master key, use the GetKeyPolicy operation.

GetKeyPolicy requires a policy name. The only valid policy name is default.

This example uses the KMS client object that you created in Creating a Client.

JavaC#PythonRuby
Java

For details, see the getKeyPolicy method in the AWS SDK for Java API Reference.

// Get the policy for a CMK // // Replace the following fictitious CMK ARN with a valid CMK ID or ARN String keyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; String policyName = "default"; GetKeyPolicyRequest req = new GetKeyPolicyRequest().withKeyId(keyId).withPolicyName(policyName); GetKeyPolicyResult result = kmsClient.getKeyPolicy(req);
C#

For details, see the GetKeyPolicy method in the AWS SDK for .NET.

// Get the policy for a CMK // // Replace the following fictitious CMK ARN with a valid CMK ID or ARN String keyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; String policyName = "default"; GetKeyPolicyRequest getKeyPolicyRequest = new GetKeyPolicyRequest() { KeyId = keyId, PolicyName = policyName }; GetKeyPolicyResponse getKeyPolicyResponse = kmsClient.GetKeyPolicy(getKeyPolicyRequest);
Python

For details, see the get_key_policy method in the AWS SDK for Python (Boto 3).

# Get the policy for a CMK # Replace the following fictitious CMK ARN with a valid CMK ID or ARN key_id = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' policy_name = 'default' response = kms_client.get_key_policy( KeyId=key_id, PolicyName=policy_name )
Ruby

For details, see the get_key_policy instance method in the AWS SDK for Ruby.

# Get the policy for a CMK # Replace the following fictitious CMK ARN with a valid CMK ID or ARN keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' policyName = 'default' response = kmsClient.get_key_policy({ key_id: keyId, policy_name: policyName })

Setting a Key Policy

To establish or change a key policy for a CMK, use the PutKeyPolicy operation.

PutKeyPolicy requires a policy name. The only valid policy name is default.

This example uses the KMS client object that you created in Creating a Client.

JavaC#PythonRuby
Java

For details, see the putKeyPolicy method in the AWS SDK for Java API Reference.

// Set a key policy for a CMK // // Replace the following fictitious CMK ARN with a valid CMK ID or ARN String keyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; String policyName = "default"; String policy = "{" + " \"Version\": \"2012-10-17\"," + " \"Statement\": [{" + " \"Sid\": \"Allow access for ExampleUser\"," + " \"Effect\": \"Allow\"," + // Replace the following user ARN with one for a real user. " \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:user/ExampleUser\"}," + " \"Action\": [" + " \"kms:Encrypt\"," + " \"kms:GenerateDataKey*\"," + " \"kms:Decrypt\"," + " \"kms:DescribeKey\"," + " \"kms:ReEncrypt*\"" + " ]," + " \"Resource\": \"*\"" + " }]" + "}"; PutKeyPolicyRequest req = new PutKeyPolicyRequest().withKeyId(keyId).withPolicy(policy).withPolicyName(policyName); kmsClient.putKeyPolicy(req);
C#

For details, see the PutKeyPolicy method in the AWS SDK for .NET.

// Set a key policy for a CMK // // Replace the following fictitious CMK ARN with a valid CMK ID or ARN String keyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; String policyName = "default"; String policy = "{" + " \"Version\": \"2012-10-17\"," + " \"Statement\": [{" + " \"Sid\": \"Allow access for ExampleUser\"," + " \"Effect\": \"Allow\"," + // Replace the following user ARN with one for a real user. " \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:user/ExampleUser\"}," + " \"Action\": [" + " \"kms:Encrypt\"," + " \"kms:GenerateDataKey*\"," + " \"kms:Decrypt\"," + " \"kms:DescribeKey\"," + " \"kms:ReEncrypt*\"" + " ]," + " \"Resource\": \"*\"" + " }]" + "}"; PutKeyPolicyRequest putKeyPolicyRequest = new PutKeyPolicyRequest() { KeyId = keyId, Policy = policy, PolicyName = policyName }; kmsClient.PutKeyPolicy(putKeyPolicyRequest);
Python

For details, see the put_key_policy method in the AWS SDK for Python (Boto 3).

# Set a key policy for a CMK # Replace the following fictitious CMK ARN with a valid CMK ID or ARN key_id = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' policy_name = 'default' policy = """ { "Version": "2012-10-17", "Statement": [{ "Sid": "Allow access for ExampleUser", "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::111122223333:user/ExampleUser"}, "Action": [ "kms:Encrypt", "kms:GenerateDataKey*", "kms:Decrypt", "kms:DescribeKey", "kms:ReEncrypt*" ], "Resource": "*" }] }""" response = kms_client.put_key_policy( KeyId=key_id, Policy=policy, PolicyName=policy_name )
Ruby

For details, see the put_key_policy instance method in the AWS SDK for Ruby.

# Set a key policy for a CMK # Replace the following fictitious CMK ARN with a valid CMK ID or ARN keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' policyName = 'default' policy = "{\n \n "Version": "2012-10-17", \n "Statement": [{ \n "Sid": "Allow access for ExampleUser", \n "Effect": "Allow", \n "Principal": {"AWS": "arn:aws:iam::111122223333:user/ExampleUser"}, \n "Action": [ \n "kms:Encrypt", \n "kms:GenerateDataKey*", \n "kms:Decrypt", \n "kms:DescribeKey", \n "kms:ReEncrypt*" \n ], \n "Resource": "*" \n }] \n}\n" response = kmsClient.put_key_policy({ key_id: keyId, policy: policy, policy_name: policyName })