AWS Key Management Service
Developer Guide

Working with Key Policies

The examples in this topic use the AWS KMS API to view and change the key policies of AWS KMS customer master keys (CMKs). For details about how to use key policies and IAM policies to manage access to your CMKs, see Authentication and Access Control for AWS KMS.

Listing Key Policy Names

To get the names of key policies for a customer master key, use the ListKeyPolicies operation. The only key policy name it returns is default.

This example uses the KMS client object that you created in Creating a Client.

JavaC#PythonRubyPHPNode.js
Java

For details about the Java implementation, see the listKeyPolicies method in the AWS SDK for Java API Reference.

// List key policies // // Replace the following fictitious CMK ARN with a valid CMK ID or ARN String keyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; ListKeyPoliciesRequest req = new ListKeyPoliciesRequest().withKeyId(keyId); ListKeyPoliciesResult result = kmsClient.listKeyPolicies(req);
C#

For details, see the ListKeyPolicies method in the AWS SDK for .NET.

// List key policies // // Replace the following fictitious CMK ARN with a valid CMK ID or ARN String keyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; ListKeyPoliciesRequest listKeyPoliciesRequest = new ListKeyPoliciesRequest() { KeyId = keyId }; ListKeyPoliciesResponse listKeyPoliciesResponse = kmsClient.ListKeyPolicies(listKeyPoliciesRequest);
Python

For details, see the list_key_policies method in the AWS SDK for Python (Boto 3).

# List key policies # Replace the following fictitious CMK ARN with a valid CMK ID or ARN key_id = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' response = kms_client.list_key_policies( KeyId=key_id )
Ruby

For details, see the list_key_policies instance method in the AWS SDK for Ruby.

# List key policies # Replace the following fictitious CMK ARN with a valid CMK ID or ARN keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' response = kmsClient.list_key_policies({ key_id: keyId })
PHP

For details, see the ListKeyPolicies method in the AWS SDK for PHP.

// List key policies // // Replace the following fictitious CMK ARN with a valid CMK ID or ARN $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; $result = $KmsClient->listKeyPolicies([ 'KeyId' => $keyId ]);
Node.js

For details, see the listKeyPolicies property in the AWS SDK for JavaScript in Node.js.

// List key policies // // Replace the following fictitious CMK ARN with a valid CMK ID or ARN const KeyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; kmsClient.listKeyPolicies({ KeyId }, (err, data) => { ... });

Getting a Key Policy

To get the key policy for a customer master key, use the GetKeyPolicy operation.

GetKeyPolicy requires a policy name. The only valid policy name is default.

This example uses the KMS client object that you created in Creating a Client.

JavaC#PythonRubyPHPNode.js
Java

For details, see the getKeyPolicy method in the AWS SDK for Java API Reference.

// Get the policy for a CMK // // Replace the following fictitious CMK ARN with a valid CMK ID or ARN String keyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; String policyName = "default"; GetKeyPolicyRequest req = new GetKeyPolicyRequest().withKeyId(keyId).withPolicyName(policyName); GetKeyPolicyResult result = kmsClient.getKeyPolicy(req);
C#

For details, see the GetKeyPolicy method in the AWS SDK for .NET.

// Get the policy for a CMK // // Replace the following fictitious CMK ARN with a valid CMK ID or ARN String keyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; String policyName = "default"; GetKeyPolicyRequest getKeyPolicyRequest = new GetKeyPolicyRequest() { KeyId = keyId, PolicyName = policyName }; GetKeyPolicyResponse getKeyPolicyResponse = kmsClient.GetKeyPolicy(getKeyPolicyRequest);
Python

For details, see the get_key_policy method in the AWS SDK for Python (Boto 3).

# Get the policy for a CMK # Replace the following fictitious CMK ARN with a valid CMK ID or ARN key_id = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' policy_name = 'default' response = kms_client.get_key_policy( KeyId=key_id, PolicyName=policy_name )
Ruby

For details, see the get_key_policy instance method in the AWS SDK for Ruby.

# Get the policy for a CMK # Replace the following fictitious CMK ARN with a valid CMK ID or ARN keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' policyName = 'default' response = kmsClient.get_key_policy({ key_id: keyId, policy_name: policyName })
PHP

For details, see the GetKeyPolicy method in the AWS SDK for PHP.

// Get the policy for a CMK // // Replace the following fictitious CMK ARN with a valid CMK ID or ARN $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; $policyName = "default"; $result = $KmsClient->getKeyPolicy([ 'KeyId' => $keyId, 'PolicyName' => $policyName ]);
Node.js

For details, see the getKeyPolicy property in the AWS SDK for JavaScript in Node.js.

// Get the policy for a CMK // // Replace the following fictitious CMK ARN with a valid CMK ID or ARN const KeyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; const PolicyName = 'default'; kmsClient.getKeyPolicy({ KeyId, PolicyName }, (err, data) => { ... });

Setting a Key Policy

To establish or change a key policy for a CMK, use the PutKeyPolicy operation.

PutKeyPolicy requires a policy name. The only valid policy name is default.

This example uses the KMS client object that you created in Creating a Client.

JavaC#PythonRubyPHPNode.js
Java

For details, see the putKeyPolicy method in the AWS SDK for Java API Reference.

// Set a key policy for a CMK // // Replace the following fictitious CMK ARN with a valid CMK ID or ARN String keyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; String policyName = "default"; String policy = "{" + " \"Version\": \"2012-10-17\"," + " \"Statement\": [{" + " \"Sid\": \"Allow access for ExampleUser\"," + " \"Effect\": \"Allow\"," + // Replace the following user ARN with one for a real user. " \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:user/ExampleUser\"}," + " \"Action\": [" + " \"kms:Encrypt\"," + " \"kms:GenerateDataKey*\"," + " \"kms:Decrypt\"," + " \"kms:DescribeKey\"," + " \"kms:ReEncrypt*\"" + " ]," + " \"Resource\": \"*\"" + " }]" + "}"; PutKeyPolicyRequest req = new PutKeyPolicyRequest().withKeyId(keyId).withPolicy(policy).withPolicyName(policyName); kmsClient.putKeyPolicy(req);
C#

For details, see the PutKeyPolicy method in the AWS SDK for .NET.

// Set a key policy for a CMK // // Replace the following fictitious CMK ARN with a valid CMK ID or ARN String keyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; String policyName = "default"; String policy = "{" + " \"Version\": \"2012-10-17\"," + " \"Statement\": [{" + " \"Sid\": \"Allow access for ExampleUser\"," + " \"Effect\": \"Allow\"," + // Replace the following user ARN with one for a real user. " \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:user/ExampleUser\"}," + " \"Action\": [" + " \"kms:Encrypt\"," + " \"kms:GenerateDataKey*\"," + " \"kms:Decrypt\"," + " \"kms:DescribeKey\"," + " \"kms:ReEncrypt*\"" + " ]," + " \"Resource\": \"*\"" + " }]" + "}"; PutKeyPolicyRequest putKeyPolicyRequest = new PutKeyPolicyRequest() { KeyId = keyId, Policy = policy, PolicyName = policyName }; kmsClient.PutKeyPolicy(putKeyPolicyRequest);
Python

For details, see the put_key_policy method in the AWS SDK for Python (Boto 3).

# Set a key policy for a CMK # Replace the following fictitious CMK ARN with a valid CMK ID or ARN key_id = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' policy_name = 'default' policy = """ { "Version": "2012-10-17", "Statement": [{ "Sid": "Allow access for ExampleUser", "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::111122223333:user/ExampleUser"}, "Action": [ "kms:Encrypt", "kms:GenerateDataKey*", "kms:Decrypt", "kms:DescribeKey", "kms:ReEncrypt*" ], "Resource": "*" }] }""" response = kms_client.put_key_policy( KeyId=key_id, Policy=policy, PolicyName=policy_name )
Ruby

For details, see the put_key_policy instance method in the AWS SDK for Ruby.

# Set a key policy for a CMK # Replace the following fictitious CMK ARN with a valid CMK ID or ARN keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' policyName = 'default' policy = "{\n \n "Version": "2012-10-17", \n "Statement": [{ \n "Sid": "Allow access for ExampleUser", \n "Effect": "Allow", \n "Principal": {"AWS": "arn:aws:iam::111122223333:user/ExampleUser"}, \n "Action": [ \n "kms:Encrypt", \n "kms:GenerateDataKey*", \n "kms:Decrypt", \n "kms:DescribeKey", \n "kms:ReEncrypt*" \n ], \n "Resource": "*" \n }] \n}\n" response = kmsClient.put_key_policy({ key_id: keyId, policy: policy, policy_name: policyName })
PHP

For details, see the PutKeyPolicy method in the AWS SDK for PHP.

// Set a key policy for a CMK // // Replace the following fictitious CMK ARN with a valid CMK ID or ARN $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; $policyName = "default"; $result = $KmsClient->putKeyPolicy([ 'KeyId' => $keyId, 'PolicyName' => $policyName, 'Policy' => '{ "Version": "2012-10-17", "Id": "custom-policy-2016-12-07", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/root" }, "Action": [ "kms:*" ], "Resource": "*" }, { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/ExampleUser" }, "Action": [ "kms:Encrypt*", "kms:GenerateDataKey*", "kms:Decrypt*", "kms:DescribeKey*", "kms:ReEncrypt*" ], "Resource": "*" } ] } ' ]);
Node.js

For details, see the putKeyPolicy property in the AWS SDK for Node.js.

// Set a key policy for a CMK // // Replace the following fictitious CMK ARN with a valid CMK ID or ARN const KeyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; const PolicyName = 'default'; const Policy = `{ "Version": "2012-10-17", "Id": "custom-policy-2016-12-07", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:root" }, "Action": "kms:*", "Resource": "*" }, { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/ExampleUser" }, "Action": [ "kms:Encrypt*", "kms:GenerateDataKey*", "kms:Decrypt*", "kms:DescribeKey*", "kms:ReEncrypt*" ], "Resource": "*" } ] }`; // The key policy document kmsClient.putKeyPolicy({ KeyId, Policy, PolicyName }, (err, data) => { ... });