Use VPC endpoints to control access to AWS KMS resources - AWS Key Management Service

Use VPC endpoints to control access to AWS KMS resources

You can control access to AWS KMS resources and operations when the request comes from VPC or uses a VPC endpoint. To do so, use one of the following global condition keys in a key policy or IAM policy.

  • Use the aws:sourceVpce condition key to grant or restrict access based on the VPC endpoint.

  • Use the aws:sourceVpc condition key to grant or restrict access based on the VPC that hosts the private endpoint.

Note

Use caution when creating key policies and IAM policies based on your VPC endpoint. If a policy statement requires that requests come from a particular VPC or VPC endpoint, requests from integrated AWS services that use an AWS KMS resource on your behalf might fail. For help, see Using VPC endpoint conditions in policies with AWS KMS permissions.

Also, the aws:sourceIP condition key is not effective when the request comes from an Amazon VPC endpoint. To restrict requests to a VPC endpoint, use the aws:sourceVpce or aws:sourceVpc condition keys. For more information, see Identity and access management for VPC endpoints and VPC endpoint services in the AWS PrivateLink Guide.

You can use these global condition keys to control access to AWS KMS keys (KMS keys), aliases, and to operations like CreateKey that don't depend on any particular resource.

For example, the following sample key policy allows a user to perform some cryptographic operations with a KMS key only when the request uses the specified VPC endpoint. When a user makes a request to AWS KMS, the VPC endpoint ID in the request is compared to the aws:sourceVpce condition key value in the policy. If they do not match, the request is denied.

To use a policy like this one, replace the placeholder AWS account ID and VPC endpoint IDs with valid values for your account.

{ "Id": "example-key-1", "Version": "2012-10-17", "Statement": [ { "Sid": "Enable IAM policies", "Effect": "Allow", "Principal": {"AWS":["111122223333"]}, "Action": ["kms:*"], "Resource": "*" }, { "Sid": "Restrict usage to my VPC endpoint", "Effect": "Deny", "Principal": "*", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*" ], "Resource": "*", "Condition": { "StringNotEquals": { "aws:sourceVpce": "vpce-1234abcdf5678c90a" } } } ] }

You can also use the aws:sourceVpc condition key to restrict access to your KMS keys based on the VPC in which VPC endpoint resides.

The following sample key policy allows commands that manage the KMS key only when they come from vpc-12345678. In addition, it allows commands that use the KMS key for cryptographic operations only when they come from vpc-2b2b2b2b. You might use a policy like this one if an application is running in one VPC, but you use a second, isolated VPC for management functions.

To use a policy like this one, replace the placeholder AWS account ID and VPC endpoint IDs with valid values for your account.

{ "Id": "example-key-2", "Version": "2012-10-17", "Statement": [ { "Sid": "Allow administrative actions from vpc-12345678", "Effect": "Allow", "Principal": {"AWS": "111122223333"}, "Action": [ "kms:Create*","kms:Enable*","kms:Put*","kms:Update*", "kms:Revoke*","kms:Disable*","kms:Delete*", "kms:TagResource", "kms:UntagResource" ], "Resource": "*", "Condition": { "StringEquals": { "aws:sourceVpc": "vpc-12345678" } } }, { "Sid": "Allow key usage from vpc-2b2b2b2b", "Effect": "Allow", "Principal": {"AWS": "111122223333"}, "Action": [ "kms:Encrypt","kms:Decrypt","kms:GenerateDataKey*" ], "Resource": "*", "Condition": { "StringEquals": { "aws:sourceVpc": "vpc-2b2b2b2b" } } }, { "Sid": "Allow read actions from everywhere", "Effect": "Allow", "Principal": {"AWS": "111122223333"}, "Action": [ "kms:Describe*","kms:List*","kms:Get*" ], "Resource": "*", } ] }