Actions, resources, and condition keys for AWS Key Management Service

AWS Key Management Service (service prefix: kms) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Learn how to configure this service.
View a list of the API operations available for this service.
Learn how to secure this service and its resources by using IAM permission policies.

Topics

Actions defined by AWS Key Management Service
Resource types defined by AWS Key Management Service
Condition keys for AWS Key Management Service

Actions defined by AWS Key Management Service

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

For details about the columns in the following table, see Actions table.

Actions	Description	Access level	Resource types (*required)	Condition keys	Dependent actions
CancelKeyDeletion	Controls permission to cancel the scheduled deletion of an AWS KMS key	Write	key*
CancelKeyDeletion		Write		kms:CallerAccount kms:ViaService
ConnectCustomKeyStore	Controls permission to connect or reconnect a custom key store to its associated AWS CloudHSM cluster	Write		kms:CallerAccount
CreateAlias	Controls permission to create an alias for an AWS KMS key. Aliases are optional friendly names that you can associate with KMS keys	Write	alias*
			key*
				kms:CallerAccount kms:ViaService
CreateCustomKeyStore	Controls permission to create a custom key store that is associated with an AWS CloudHSM cluster that you own and manage	Write		kms:CallerAccount	cloudhsm:DescribeClusters iam:CreateServiceLinkedRole
CreateGrant	Controls permission to add a grant to an AWS KMS key. You can use grants to add permissions without changing the key policy or IAM policy	Permissions management	key*
CreateGrant		Permissions management		kms:CallerAccount kms:EncryptionContext:${EncryptionContextKey} kms:EncryptionContextKeys kms:GrantConstraintType kms:GranteePrincipal kms:GrantIsForAWSResource kms:GrantOperations kms:RetiringPrincipal kms:ViaService
CreateKey	Controls permission to create an AWS KMS key that can be used to protect data keys and other sensitive information	Write		aws:ResourceTag/${TagKey} aws:RequestTag/${TagKey} aws:TagKeys kms:BypassPolicyLockoutSafetyCheck kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ViaService	iam:CreateServiceLinkedRole kms:PutKeyPolicy kms:TagResource
Decrypt	Controls permission to decrypt ciphertext that was encrypted under an AWS KMS key	Write	key*
Decrypt		Write		kms:CallerAccount kms:EncryptionAlgorithm kms:EncryptionContext:${EncryptionContextKey} kms:EncryptionContextKeys kms:RecipientAttestation:ImageSha384 kms:RequestAlias kms:ViaService
DeleteAlias	Controls permission to delete an alias. Aliases are optional friendly names that you can associate with AWS KMS keys	Write	alias*
			key*
				kms:CallerAccount kms:ViaService
DeleteCustomKeyStore	Controls permission to delete a custom key store	Write		kms:CallerAccount
DeleteImportedKeyMaterial	Controls permission to delete cryptographic material that you imported into an AWS KMS key. This action makes the key unusable	Write	key*
DeleteImportedKeyMaterial		Write		kms:CallerAccount kms:ViaService
DescribeCustomKeyStores	Controls permission to view detailed information about custom key stores in the account and region	Read		kms:CallerAccount
DescribeKey	Controls permission to view detailed information about an AWS KMS key	Read	key*
DescribeKey		Read		kms:CallerAccount kms:RequestAlias kms:ViaService
DisableKey	Controls permission to disable an AWS KMS key, which prevents it from being used in cryptographic operations	Write	key*
DisableKey		Write		kms:CallerAccount kms:ViaService
DisableKeyRotation	Controls permission to disable automatic rotation of a customer managed AWS KMS key	Write	key*
DisableKeyRotation		Write		kms:CallerAccount kms:ViaService
DisconnectCustomKeyStore	Controls permission to disconnect the custom key store from its associated AWS CloudHSM cluster	Write		kms:CallerAccount
EnableKey	Controls permission to change the state of an AWS KMS key to enabled. This allows the KMS key to be used in cryptographic operations	Write	key*
EnableKey		Write		kms:CallerAccount kms:ViaService
EnableKeyRotation	Controls permission to enable automatic rotation of the cryptographic material in an AWS KMS key	Write	key*
EnableKeyRotation		Write		kms:CallerAccount kms:ViaService
Encrypt	Controls permission to use the specified AWS KMS key to encrypt data and data keys	Write	key*
Encrypt		Write		kms:CallerAccount kms:EncryptionAlgorithm kms:EncryptionContext:${EncryptionContextKey} kms:EncryptionContextKeys kms:RequestAlias kms:ViaService
GenerateDataKey	Controls permission to use the AWS KMS key to generate data keys. You can use the data keys to encrypt data outside of AWS KMS	Write	key*
GenerateDataKey		Write		kms:CallerAccount kms:EncryptionAlgorithm kms:EncryptionContext:${EncryptionContextKey} kms:EncryptionContextKeys kms:RecipientAttestation:ImageSha384 kms:RequestAlias kms:ViaService
GenerateDataKeyPair	Controls permission to use the AWS KMS key to generate data key pairs	Write	key*
GenerateDataKeyPair		Write		kms:CallerAccount kms:DataKeyPairSpec kms:EncryptionAlgorithm kms:EncryptionContext:${EncryptionContextKey} kms:EncryptionContextKeys kms:RequestAlias kms:ViaService
GenerateDataKeyPairWithoutPlaintext	Controls permission to use the AWS KMS key to generate data key pairs. Unlike the GenerateDataKeyPair operation, this operation returns an encrypted private key without a plaintext copy	Write	key*
GenerateDataKeyPairWithoutPlaintext		Write		kms:CallerAccount kms:DataKeyPairSpec kms:EncryptionAlgorithm kms:EncryptionContext:${EncryptionContextKey} kms:EncryptionContextKeys kms:RequestAlias kms:ViaService
GenerateDataKeyWithoutPlaintext	Controls permission to use the AWS KMS key to generate a data key. Unlike the GenerateDataKey operation, this operation returns an encrypted data key without a plaintext version of the data key	Write	key*
GenerateDataKeyWithoutPlaintext		Write		kms:CallerAccount kms:EncryptionAlgorithm kms:EncryptionContext:${EncryptionContextKey} kms:EncryptionContextKeys kms:RequestAlias kms:ViaService
GenerateMac	Controls permission to use the AWS KMS key to generate message authentication codes	Write	key*
GenerateMac		Write		kms:CallerAccount kms:MacAlgorithm kms:RequestAlias kms:ViaService
GenerateRandom	Controls permission to get a cryptographically secure random byte string from AWS KMS	Write		kms:RecipientAttestation:ImageSha384
GetKeyPolicy	Controls permission to view the key policy for the specified AWS KMS key	Read	key*
GetKeyPolicy		Read		kms:CallerAccount kms:ViaService
GetKeyRotationStatus	Controls permission to determine whether automatic key rotation is enabled on the AWS KMS key	Read	key*
GetKeyRotationStatus		Read		kms:CallerAccount kms:ViaService
GetParametersForImport	Controls permission to get data that is required to import cryptographic material into a customer managed key, including a public key and import token	Read	key*
GetParametersForImport		Read		kms:CallerAccount kms:ViaService kms:WrappingAlgorithm kms:WrappingKeySpec
GetPublicKey	Controls permission to download the public key of an asymmetric AWS KMS key	Read	key*
GetPublicKey		Read		kms:CallerAccount kms:RequestAlias kms:ViaService
ImportKeyMaterial	Controls permission to import cryptographic material into an AWS KMS key	Write	key*
ImportKeyMaterial		Write		kms:CallerAccount kms:ExpirationModel kms:ValidTo kms:ViaService
ListAliases	Controls permission to view the aliases that are defined in the account. Aliases are optional friendly names that you can associate with AWS KMS keys	List
ListGrants	Controls permission to view all grants for an AWS KMS key	List	key*
ListGrants	Controls permission to view all grants for an AWS KMS key	List		kms:CallerAccount kms:GrantIsForAWSResource kms:ViaService
ListKeyPolicies	Controls permission to view the names of key policies for an AWS KMS key	List	key*
ListKeyPolicies		List		kms:CallerAccount kms:ViaService
ListKeys	Controls permission to view the key ID and Amazon Resource Name (ARN) of all AWS KMS keys in the account	List
ListResourceTags	Controls permission to view all tags that are attached to an AWS KMS key	List	key*
ListResourceTags		List		kms:CallerAccount kms:ViaService
ListRetirableGrants	Controls permission to view grants in which the specified principal is the retiring principal. Other principals might be able to retire the grant and this principal might be able to retire other grants	List	key*
PutKeyPolicy	Controls permission to replace the key policy for the specified AWS KMS key	Permissions management	key*
PutKeyPolicy		Permissions management		kms:BypassPolicyLockoutSafetyCheck kms:CallerAccount kms:ViaService
ReEncryptFrom	Controls permission to decrypt data as part of the process that decrypts and reencrypts the data within AWS KMS	Write	key*
ReEncryptFrom		Write		kms:CallerAccount kms:EncryptionAlgorithm kms:EncryptionContext:${EncryptionContextKey} kms:EncryptionContextKeys kms:ReEncryptOnSameKey kms:RequestAlias kms:ViaService
ReEncryptTo	Controls permission to encrypt data as part of the process that decrypts and reencrypts the data within AWS KMS	Write	key*
ReEncryptTo		Write		kms:CallerAccount kms:EncryptionAlgorithm kms:EncryptionContext:${EncryptionContextKey} kms:EncryptionContextKeys kms:ReEncryptOnSameKey kms:RequestAlias kms:ViaService
ReplicateKey	Controls permission to replicate a multi-Region primary key	Write	key*		iam:CreateServiceLinkedRole kms:CreateKey kms:PutKeyPolicy kms:TagResource
ReplicateKey	Controls permission to replicate a multi-Region primary key	Write		kms:CallerAccount kms:ReplicaRegion kms:ViaService
RetireGrant	Controls permission to retire a grant. The RetireGrant operation is typically called by the grant user after they complete the tasks that the grant allowed them to perform	Permissions management	key*
RevokeGrant	Controls permission to revoke a grant, which denies permission for all operations that depend on the grant	Permissions management	key*
RevokeGrant		Permissions management		kms:CallerAccount kms:GrantIsForAWSResource kms:ViaService
ScheduleKeyDeletion	Controls permission to schedule deletion of an AWS KMS key	Write	key*
ScheduleKeyDeletion	Controls permission to schedule deletion of an AWS KMS key	Write		kms:CallerAccount kms:ViaService
Sign	Controls permission to produce a digital signature for a message	Write	key*
Sign		Write		kms:CallerAccount kms:MessageType kms:RequestAlias kms:SigningAlgorithm kms:ViaService
SynchronizeMultiRegionKey [permission only]	Controls access to internal APIs that synchronize multi-Region keys	Write	key*
TagResource	Controls permission to create or update tags that are attached to an AWS KMS key	Tagging	key*
TagResource		Tagging		aws:RequestTag/${TagKey} aws:TagKeys kms:CallerAccount kms:ViaService
UntagResource	Controls permission to delete tags that are attached to an AWS KMS key	Tagging	key*
UntagResource		Tagging		aws:TagKeys kms:CallerAccount kms:ViaService
UpdateAlias	Controls permission to associate an alias with a different AWS KMS key. An alias is an optional friendly name that you can associate with a KMS key	Write	alias*
			key*
				kms:CallerAccount kms:ViaService
UpdateCustomKeyStore	Controls permission to change the properties of a custom key store	Write		kms:CallerAccount
UpdateKeyDescription	Controls permission to delete or change the description of an AWS KMS key	Write	key*
UpdateKeyDescription		Write		kms:CallerAccount kms:ViaService
UpdatePrimaryRegion	Controls permission to update the primary Region of a multi-Region primary key	Write	key*
UpdatePrimaryRegion		Write		kms:CallerAccount kms:PrimaryRegion kms:ViaService
Verify	Controls permission to use the specified AWS KMS key to verify digital signatures	Write	key*
Verify		Write		kms:CallerAccount kms:MessageType kms:RequestAlias kms:SigningAlgorithm kms:ViaService
VerifyMac	Controls permission to use the AWS KMS key to verify message authentication codes	Write	key*
VerifyMac		Write		kms:CallerAccount kms:MacAlgorithm kms:RequestAlias kms:ViaService

Resource types defined by AWS Key Management Service

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys

alias arn:${Partition}:kms:${Region}:${Account}:alias/${Alias}

Resource types	ARN	Condition keys
alias	`arn:${Partition}:kms:${Region}:${Account}:alias/${Alias}`
key	`arn:${Partition}:kms:${Region}:${Account}:key/${KeyId}`	aws:ResourceTag/${TagKey} kms:KeyOrigin kms:KeySpec kms:KeyUsage kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases

key

arn:${Partition}:kms:${Region}:${Account}:key/${KeyId}

aws:ResourceTag/${TagKey}

kms:MultiRegionKeyType

kms:ResourceAliases

Condition keys for AWS Key Management Service

AWS Key Management Service defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys	Description	Type
aws:RequestTag/${TagKey}	Filters access to the specified AWS KMS operations based on both the key and value of the tag in the request	String
aws:ResourceTag/${TagKey}	Filters access to the specified AWS KMS operations based on tags assigned to the AWS KMS key	String
aws:TagKeys	Filters access to the specified AWS KMS operations based on tag keys in the request	ArrayOfString
kms:BypassPolicyLockoutSafetyCheck	Filters access to the CreateKey and PutKeyPolicy operations based on the value of the BypassPolicyLockoutSafetyCheck parameter in the request	Bool
kms:CallerAccount	Filters access to specified AWS KMS operations based on the AWS account ID of the caller. You can use this condition key to allow or deny access to all IAM users and roles in an AWS account in a single policy statement	String
kms:CustomerMasterKeySpec	The kms:CustomerMasterKeySpec condition key is deprecated. Instead, use the kms:KeySpec condition key	String
kms:CustomerMasterKeyUsage	The kms:CustomerMasterKeyUsage condition key is deprecated. Instead, use the kms:KeyUsage condition key	String
kms:DataKeyPairSpec	Filters access to GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext operations based on the value of the KeyPairSpec parameter in the request	String
kms:EncryptionAlgorithm	Filters access to encryption operations based on the value of the encryption algorithm in the request	String
kms:EncryptionContext:${EncryptionContextKey}	Filters access to a symmetric AWS KMS key based on the encryption context in a cryptographic operation. This condition evaluates the key and value in each key-value encryption context pair	String
kms:EncryptionContextKeys	Filters access to a symmetric AWS KMS key based on the encryption context in a cryptographic operation. This condition key evaluates only the key in each key-value encryption context pair	ArrayOfString
kms:ExpirationModel	Filters access to the ImportKeyMaterial operation based on the value of the ExpirationModel parameter in the request	String
kms:GrantConstraintType	Filters access to the CreateGrant operation based on the grant constraint in the request	String
kms:GrantIsForAWSResource	Filters access to the CreateGrant operation when the request comes from a specified AWS service	Bool
kms:GrantOperations	Filters access to the CreateGrant operation based on the operations in the grant	ArrayOfString
kms:GranteePrincipal	Filters access to the CreateGrant operation based on the grantee principal in the grant	String
kms:KeyOrigin	Filters access to an API operation based on the Origin property of the AWS KMS key created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a KMS key	String
kms:KeySpec	Filters access to an API operation based on the KeySpec property of the AWS KMS key that is created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a KMS key resource	String
kms:KeyUsage	Filters access to an API operation based on the KeyUsage property of the AWS KMS key created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a KMS key resource	String
kms:MacAlgorithm	Filters access to the GenerateMac and VerifyMac operations based on the MacAlgorithm parameter in the request	String
kms:MessageType	Filters access to the Sign and Verify operations based on the value of the MessageType parameter in the request	String
kms:MultiRegion	Filters access to an API operation based on the MultiRegion property of the AWS KMS key created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a KMS key resource	Bool
kms:MultiRegionKeyType	Filters access to an API operation based on the MultiRegionKeyType property of the AWS KMS key created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a KMS key resource	String
kms:PrimaryRegion	Filters access to the UpdatePrimaryRegion operation based on the value of the PrimaryRegion parameter in the request	String
kms:ReEncryptOnSameKey	Filters access to the ReEncrypt operation when it uses the same AWS KMS key that was used for the Encrypt operation	Bool
kms:RecipientAttestation:ImageSha384	Filters access to the Decrypt, GenerateDataKey, and GenerateRandom operations based on the image hash in the attestation document in the request	String
kms:RecipientAttestation:PCR	Filters access to the Decrypt, GenerateDataKey, and GenerateRandom operations based on the platform configuration registers (PCRs) in the attestation document in the request	String
kms:ReplicaRegion	Filters access to the ReplicateKey operation based on the value of the ReplicaRegion parameter in the request	String
kms:RequestAlias	Filters access to cryptographic operations, DescribeKey, and GetPublicKey based on the alias in the request	String
kms:ResourceAliases	Filters access to specified AWS KMS operations based on aliases associated with the AWS KMS key	ArrayOfString
kms:RetiringPrincipal	Filters access to the CreateGrant operation based on the retiring principal in the grant	String
kms:SigningAlgorithm	Filters access to the Sign and Verify operations based on the signing algorithm in the request	String
kms:ValidTo	Filters access to the ImportKeyMaterial operation based on the value of the ValidTo parameter in the request. You can use this condition key to allow users to import key material only when it expires by the specified date	Date
kms:ViaService	Filters access when a request made on the principal's behalf comes from a specified AWS service	String
kms:WrappingAlgorithm	Filters access to the GetParametersForImport operation based on the value of the WrappingAlgorithm parameter in the request	String
kms:WrappingKeySpec	Filters access to the GetParametersForImport operation based on the value of the WrappingKeySpec parameter in the request	String

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions