Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Actions, resources, and condition keys for AWS Key Management Service - Service Authorization Reference

Actions, resources, and condition keys for AWS Key Management Service

AWS Key Management Service (service prefix: kms) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by AWS Key Management Service

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
CancelKeyDeletion Controls permission to cancel the scheduled deletion of an AWS KMS key Write

key*

kms:CallerAccount

kms:ViaService

ConnectCustomKeyStore Controls permission to connect or reconnect a custom key store to its associated AWS CloudHSM cluster or external key manager outside of AWS Write

kms:CallerAccount

CreateAlias Controls permission to create an alias for an AWS KMS key. Aliases are optional friendly names that you can associate with KMS keys Write

alias*

key*

kms:CallerAccount

kms:ViaService

CreateCustomKeyStore Controls permission to create a custom key store that is backed by an AWS CloudHSM cluster or an external key manager outside of AWS Write

kms:CallerAccount

cloudhsm:DescribeClusters

iam:CreateServiceLinkedRole

CreateGrant Controls permission to add a grant to an AWS KMS key. You can use grants to add permissions without changing the key policy or IAM policy Permissions management

key*

kms:CallerAccount

kms:EncryptionContext:${EncryptionContextKey}

kms:EncryptionContextKeys

kms:GrantConstraintType

kms:GranteePrincipal

kms:GrantIsForAWSResource

kms:GrantOperations

kms:RetiringPrincipal

kms:ViaService

CreateKey Controls permission to create an AWS KMS key that can be used to protect data keys and other sensitive information Write

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

kms:BypassPolicyLockoutSafetyCheck

kms:CallerAccount

kms:KeySpec

kms:KeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ViaService

iam:CreateServiceLinkedRole

kms:PutKeyPolicy

kms:TagResource

Decrypt Controls permission to decrypt ciphertext that was encrypted under an AWS KMS key Write

key*

kms:CallerAccount

kms:EncryptionAlgorithm

kms:EncryptionContext:${EncryptionContextKey}

kms:EncryptionContextKeys

kms:RecipientAttestation:ImageSha384

kms:RecipientAttestation:PCR0

kms:RecipientAttestation:PCR1

kms:RecipientAttestation:PCR2

kms:RecipientAttestation:PCR3

kms:RecipientAttestation:PCR4

kms:RecipientAttestation:PCR5

kms:RecipientAttestation:PCR6

kms:RecipientAttestation:PCR7

kms:RecipientAttestation:PCR8

kms:RecipientAttestation:PCR9

kms:RecipientAttestation:PCR10

kms:RecipientAttestation:PCR11

kms:RecipientAttestation:PCR12

kms:RecipientAttestation:PCR13

kms:RecipientAttestation:PCR14

kms:RecipientAttestation:PCR15

kms:RecipientAttestation:PCR16

kms:RecipientAttestation:PCR17

kms:RecipientAttestation:PCR18

kms:RecipientAttestation:PCR19

kms:RecipientAttestation:PCR20

kms:RecipientAttestation:PCR21

kms:RecipientAttestation:PCR22

kms:RecipientAttestation:PCR23

kms:RecipientAttestation:PCR24

kms:RecipientAttestation:PCR25

kms:RecipientAttestation:PCR26

kms:RecipientAttestation:PCR27

kms:RecipientAttestation:PCR28

kms:RecipientAttestation:PCR29

kms:RecipientAttestation:PCR30

kms:RecipientAttestation:PCR31

kms:RequestAlias

kms:ViaService

DeleteAlias Controls permission to delete an alias. Aliases are optional friendly names that you can associate with AWS KMS keys Write

alias*

key*

kms:CallerAccount

kms:ViaService

DeleteCustomKeyStore Controls permission to delete a custom key store Write

kms:CallerAccount

DeleteImportedKeyMaterial Controls permission to delete cryptographic material that you imported into an AWS KMS key. This action makes the key unusable Write

key*

kms:CallerAccount

kms:ViaService

DeriveSharedSecret Controls permission to use the specified AWS KMS key to derive shared secrets Write

key*

kms:CallerAccount

kms:KeyAgreementAlgorithm

kms:RecipientAttestation:ImageSha384

kms:RecipientAttestation:PCR0

kms:RecipientAttestation:PCR1

kms:RecipientAttestation:PCR2

kms:RecipientAttestation:PCR3

kms:RecipientAttestation:PCR4

kms:RecipientAttestation:PCR5

kms:RecipientAttestation:PCR6

kms:RecipientAttestation:PCR7

kms:RecipientAttestation:PCR8

kms:RecipientAttestation:PCR9

kms:RecipientAttestation:PCR10

kms:RecipientAttestation:PCR11

kms:RecipientAttestation:PCR12

kms:RecipientAttestation:PCR13

kms:RecipientAttestation:PCR14

kms:RecipientAttestation:PCR15

kms:RecipientAttestation:PCR16

kms:RecipientAttestation:PCR17

kms:RecipientAttestation:PCR18

kms:RecipientAttestation:PCR19

kms:RecipientAttestation:PCR20

kms:RecipientAttestation:PCR21

kms:RecipientAttestation:PCR22

kms:RecipientAttestation:PCR23

kms:RecipientAttestation:PCR24

kms:RecipientAttestation:PCR25

kms:RecipientAttestation:PCR26

kms:RecipientAttestation:PCR27

kms:RecipientAttestation:PCR28

kms:RecipientAttestation:PCR29

kms:RecipientAttestation:PCR30

kms:RecipientAttestation:PCR31

kms:RequestAlias

kms:ViaService

DescribeCustomKeyStores Controls permission to view detailed information about custom key stores in the account and region Read

kms:CallerAccount

DescribeKey Controls permission to view detailed information about an AWS KMS key Read

key*

kms:CallerAccount

kms:RequestAlias

kms:ViaService

DisableKey Controls permission to disable an AWS KMS key, which prevents it from being used in cryptographic operations Write

key*

kms:CallerAccount

kms:ViaService

DisableKeyRotation Controls permission to disable automatic rotation of a customer managed AWS KMS key Write

key*

kms:CallerAccount

kms:ViaService

DisconnectCustomKeyStore Controls permission to disconnect the custom key store from its associated AWS CloudHSM cluster or external key manager outside of AWS Write

kms:CallerAccount

EnableKey Controls permission to change the state of an AWS KMS key to enabled. This allows the KMS key to be used in cryptographic operations Write

key*

kms:CallerAccount

kms:ViaService

EnableKeyRotation Controls permission to enable automatic rotation of the cryptographic material in an AWS KMS key Write

key*

kms:CallerAccount

kms:RotationPeriodInDays

kms:ViaService

Encrypt Controls permission to use the specified AWS KMS key to encrypt data and data keys Write

key*

kms:CallerAccount

kms:EncryptionAlgorithm

kms:EncryptionContext:${EncryptionContextKey}

kms:EncryptionContextKeys

kms:RequestAlias

kms:ViaService

GenerateDataKey Controls permission to use the AWS KMS key to generate data keys. You can use the data keys to encrypt data outside of AWS KMS Write

key*

kms:CallerAccount

kms:EncryptionAlgorithm

kms:EncryptionContext:${EncryptionContextKey}

kms:EncryptionContextKeys

kms:RecipientAttestation:ImageSha384

kms:RecipientAttestation:PCR0

kms:RecipientAttestation:PCR1

kms:RecipientAttestation:PCR2

kms:RecipientAttestation:PCR3

kms:RecipientAttestation:PCR4

kms:RecipientAttestation:PCR5

kms:RecipientAttestation:PCR6

kms:RecipientAttestation:PCR7

kms:RecipientAttestation:PCR8

kms:RecipientAttestation:PCR9

kms:RecipientAttestation:PCR10

kms:RecipientAttestation:PCR11

kms:RecipientAttestation:PCR12

kms:RecipientAttestation:PCR13

kms:RecipientAttestation:PCR14

kms:RecipientAttestation:PCR15

kms:RecipientAttestation:PCR16

kms:RecipientAttestation:PCR17

kms:RecipientAttestation:PCR18

kms:RecipientAttestation:PCR19

kms:RecipientAttestation:PCR20

kms:RecipientAttestation:PCR21

kms:RecipientAttestation:PCR22

kms:RecipientAttestation:PCR23

kms:RecipientAttestation:PCR24

kms:RecipientAttestation:PCR25

kms:RecipientAttestation:PCR26

kms:RecipientAttestation:PCR27

kms:RecipientAttestation:PCR28

kms:RecipientAttestation:PCR29

kms:RecipientAttestation:PCR30

kms:RecipientAttestation:PCR31

kms:RequestAlias

kms:ViaService

GenerateDataKeyPair Controls permission to use the AWS KMS key to generate data key pairs Write

key*

kms:CallerAccount

kms:DataKeyPairSpec

kms:EncryptionAlgorithm

kms:EncryptionContext:${EncryptionContextKey}

kms:EncryptionContextKeys

kms:RecipientAttestation:ImageSha384

kms:RecipientAttestation:PCR0

kms:RecipientAttestation:PCR1

kms:RecipientAttestation:PCR2

kms:RecipientAttestation:PCR3

kms:RecipientAttestation:PCR4

kms:RecipientAttestation:PCR5

kms:RecipientAttestation:PCR6

kms:RecipientAttestation:PCR7

kms:RecipientAttestation:PCR8

kms:RecipientAttestation:PCR9

kms:RecipientAttestation:PCR10

kms:RecipientAttestation:PCR11

kms:RecipientAttestation:PCR12

kms:RecipientAttestation:PCR13

kms:RecipientAttestation:PCR14

kms:RecipientAttestation:PCR15

kms:RecipientAttestation:PCR16

kms:RecipientAttestation:PCR17

kms:RecipientAttestation:PCR18

kms:RecipientAttestation:PCR19

kms:RecipientAttestation:PCR20

kms:RecipientAttestation:PCR21

kms:RecipientAttestation:PCR22

kms:RecipientAttestation:PCR23

kms:RecipientAttestation:PCR24

kms:RecipientAttestation:PCR25

kms:RecipientAttestation:PCR26

kms:RecipientAttestation:PCR27

kms:RecipientAttestation:PCR28

kms:RecipientAttestation:PCR29

kms:RecipientAttestation:PCR30

kms:RecipientAttestation:PCR31

kms:RequestAlias

kms:ViaService

GenerateDataKeyPairWithoutPlaintext Controls permission to use the AWS KMS key to generate data key pairs. Unlike the GenerateDataKeyPair operation, this operation returns an encrypted private key without a plaintext copy Write

key*

kms:CallerAccount

kms:DataKeyPairSpec

kms:EncryptionAlgorithm

kms:EncryptionContext:${EncryptionContextKey}

kms:EncryptionContextKeys

kms:RequestAlias

kms:ViaService

GenerateDataKeyWithoutPlaintext Controls permission to use the AWS KMS key to generate a data key. Unlike the GenerateDataKey operation, this operation returns an encrypted data key without a plaintext version of the data key Write

key*

kms:CallerAccount

kms:EncryptionAlgorithm

kms:EncryptionContext:${EncryptionContextKey}

kms:EncryptionContextKeys

kms:RequestAlias

kms:ViaService

GenerateMac Controls permission to use the AWS KMS key to generate message authentication codes Write

key*

kms:CallerAccount

kms:MacAlgorithm

kms:RequestAlias

kms:ViaService

GenerateRandom Controls permission to get a cryptographically secure random byte string from AWS KMS Write

kms:RecipientAttestation:ImageSha384

kms:RecipientAttestation:PCR0

kms:RecipientAttestation:PCR1

kms:RecipientAttestation:PCR2

kms:RecipientAttestation:PCR3

kms:RecipientAttestation:PCR4

kms:RecipientAttestation:PCR5

kms:RecipientAttestation:PCR6

kms:RecipientAttestation:PCR7

kms:RecipientAttestation:PCR8

kms:RecipientAttestation:PCR9

kms:RecipientAttestation:PCR10

kms:RecipientAttestation:PCR11

kms:RecipientAttestation:PCR12

kms:RecipientAttestation:PCR13

kms:RecipientAttestation:PCR14

kms:RecipientAttestation:PCR15

kms:RecipientAttestation:PCR16

kms:RecipientAttestation:PCR17

kms:RecipientAttestation:PCR18

kms:RecipientAttestation:PCR19

kms:RecipientAttestation:PCR20

kms:RecipientAttestation:PCR21

kms:RecipientAttestation:PCR22

kms:RecipientAttestation:PCR23

kms:RecipientAttestation:PCR24

kms:RecipientAttestation:PCR25

kms:RecipientAttestation:PCR26

kms:RecipientAttestation:PCR27

kms:RecipientAttestation:PCR28

kms:RecipientAttestation:PCR29

kms:RecipientAttestation:PCR30

kms:RecipientAttestation:PCR31

GetKeyPolicy Controls permission to view the key policy for the specified AWS KMS key Read

key*

kms:CallerAccount

kms:ViaService

GetKeyRotationStatus Controls permission to view the key rotation status for an AWS KMS key Read

key*

kms:CallerAccount

kms:ViaService

GetParametersForImport Controls permission to get data that is required to import cryptographic material into a customer managed key, including a public key and import token Read

key*

kms:CallerAccount

kms:ViaService

kms:WrappingAlgorithm

kms:WrappingKeySpec

GetPublicKey Controls permission to download the public key of an asymmetric AWS KMS key Read

key*

kms:CallerAccount

kms:RequestAlias

kms:ViaService

ImportKeyMaterial Controls permission to import cryptographic material into an AWS KMS key Write

key*

kms:CallerAccount

kms:ExpirationModel

kms:ValidTo

kms:ViaService

ListAliases Controls permission to view the aliases that are defined in the account. Aliases are optional friendly names that you can associate with AWS KMS keys List
ListGrants Controls permission to view all grants for an AWS KMS key List

key*

kms:CallerAccount

kms:GrantIsForAWSResource

kms:ViaService

ListKeyPolicies Controls permission to view the names of key policies for an AWS KMS key List

key*

kms:CallerAccount

kms:ViaService

ListKeyRotations Controls permission to view the list of completed key rotations for an AWS KMS key List

key*

kms:CallerAccount

kms:ViaService

ListKeys Controls permission to view the key ID and Amazon Resource Name (ARN) of all AWS KMS keys in the account List
ListResourceTags Controls permission to view all tags that are attached to an AWS KMS key List

key*

kms:CallerAccount

kms:ViaService

ListRetirableGrants Controls permission to view grants in which the specified principal is the retiring principal. Other principals might be able to retire the grant and this principal might be able to retire other grants List
PutKeyPolicy Controls permission to replace the key policy for the specified AWS KMS key Permissions management

key*

kms:BypassPolicyLockoutSafetyCheck

kms:CallerAccount

kms:ViaService

ReEncryptFrom Controls permission to decrypt data as part of the process that decrypts and reencrypts the data within AWS KMS Write

key*

kms:CallerAccount

kms:EncryptionAlgorithm

kms:EncryptionContext:${EncryptionContextKey}

kms:EncryptionContextKeys

kms:ReEncryptOnSameKey

kms:RequestAlias

kms:ViaService

ReEncryptTo Controls permission to encrypt data as part of the process that decrypts and reencrypts the data within AWS KMS Write

key*

kms:CallerAccount

kms:EncryptionAlgorithm

kms:EncryptionContext:${EncryptionContextKey}

kms:EncryptionContextKeys

kms:ReEncryptOnSameKey

kms:RequestAlias

kms:ViaService

ReplicateKey Controls permission to replicate a multi-Region primary key Write

key*

iam:CreateServiceLinkedRole

kms:CreateKey

kms:PutKeyPolicy

kms:TagResource

kms:CallerAccount

kms:ReplicaRegion

kms:ViaService

RetireGrant Controls permission to retire a grant. The RetireGrant operation is typically called by the grant user after they complete the tasks that the grant allowed them to perform Permissions management

key*

kms:CallerAccount

kms:EncryptionContext:${EncryptionContextKey}

kms:EncryptionContextKeys

kms:GrantConstraintType

kms:ViaService

RevokeGrant Controls permission to revoke a grant, which denies permission for all operations that depend on the grant Permissions management

key*

kms:CallerAccount

kms:GrantIsForAWSResource

kms:ViaService

RotateKeyOnDemand Controls permission to invoke on-demand rotation of the cryptographic material in an AWS KMS key Write

key*

kms:CallerAccount

kms:ViaService

ScheduleKeyDeletion Controls permission to schedule deletion of an AWS KMS key Write

key*

kms:CallerAccount

kms:ScheduleKeyDeletionPendingWindowInDays

kms:ViaService

Sign Controls permission to produce a digital signature for a message Write

key*

kms:CallerAccount

kms:MessageType

kms:RequestAlias

kms:SigningAlgorithm

kms:ViaService

SynchronizeMultiRegionKey [permission only] Controls access to internal APIs that synchronize multi-Region keys Write

key*

TagResource Controls permission to create or update tags that are attached to an AWS KMS key Tagging

key*

aws:RequestTag/${TagKey}

aws:TagKeys

kms:CallerAccount

kms:ViaService

UntagResource Controls permission to delete tags that are attached to an AWS KMS key Tagging

key*

aws:TagKeys

kms:CallerAccount

kms:ViaService

UpdateAlias Controls permission to associate an alias with a different AWS KMS key. An alias is an optional friendly name that you can associate with a KMS key Write

alias*

key*

kms:CallerAccount

kms:ViaService

UpdateCustomKeyStore Controls permission to change the properties of a custom key store Write

kms:CallerAccount

UpdateKeyDescription Controls permission to delete or change the description of an AWS KMS key Write

key*

kms:CallerAccount

kms:ViaService

UpdatePrimaryRegion Controls permission to update the primary Region of a multi-Region primary key Write

key*

kms:CallerAccount

kms:PrimaryRegion

kms:ViaService

Verify Controls permission to use the specified AWS KMS key to verify digital signatures Write

key*

kms:CallerAccount

kms:MessageType

kms:RequestAlias

kms:SigningAlgorithm

kms:ViaService

VerifyMac Controls permission to use the AWS KMS key to verify message authentication codes Write

key*

kms:CallerAccount

kms:MacAlgorithm

kms:RequestAlias

kms:ViaService

Resource types defined by AWS Key Management Service

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
alias arn:${Partition}:kms:${Region}:${Account}:alias/${Alias}
key arn:${Partition}:kms:${Region}:${Account}:key/${KeyId}

aws:ResourceTag/${TagKey}

kms:KeyOrigin

kms:KeySpec

kms:KeyUsage

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

Condition keys for AWS Key Management Service

AWS Key Management Service defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access to the specified AWS KMS operations based on both the key and value of the tag in the request String
aws:ResourceTag/${TagKey} Filters access to the specified AWS KMS operations based on tags assigned to the AWS KMS key String
aws:TagKeys Filters access to the specified AWS KMS operations based on tag keys in the request ArrayOfString
kms:BypassPolicyLockoutSafetyCheck Filters access to the CreateKey and PutKeyPolicy operations based on the value of the BypassPolicyLockoutSafetyCheck parameter in the request Bool
kms:CallerAccount Filters access to specified AWS KMS operations based on the AWS account ID of the caller. You can use this condition key to allow or deny access to all IAM users and roles in an AWS account in a single policy statement String
kms:CustomerMasterKeySpec The kms:CustomerMasterKeySpec condition key is deprecated. Instead, use the kms:KeySpec condition key String
kms:CustomerMasterKeyUsage The kms:CustomerMasterKeyUsage condition key is deprecated. Instead, use the kms:KeyUsage condition key String
kms:DataKeyPairSpec Filters access to GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext operations based on the value of the KeyPairSpec parameter in the request String
kms:EncryptionAlgorithm Filters access to encryption operations based on the value of the encryption algorithm in the request String
kms:EncryptionContext:${EncryptionContextKey} Filters access to a symmetric AWS KMS key based on the encryption context in a cryptographic operation. This condition evaluates the key and value in each key-value encryption context pair String
kms:EncryptionContextKeys Filters access to a symmetric AWS KMS key based on the encryption context in a cryptographic operation. This condition key evaluates only the key in each key-value encryption context pair ArrayOfString
kms:ExpirationModel Filters access to the ImportKeyMaterial operation based on the value of the ExpirationModel parameter in the request String
kms:GrantConstraintType Filters access to the CreateGrant operation based on the grant constraint in the request String
kms:GrantIsForAWSResource Filters access to the CreateGrant operation when the request comes from a specified AWS service Bool
kms:GrantOperations Filters access to the CreateGrant operation based on the operations in the grant ArrayOfString
kms:GranteePrincipal Filters access to the CreateGrant operation based on the grantee principal in the grant String
kms:KeyAgreementAlgorithm Filters access to the DeriveSharedSecret operation based on the value of the KeyAgreementAlgorithm parameter in the request String
kms:KeyOrigin Filters access to an API operation based on the Origin property of the AWS KMS key created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a KMS key String
kms:KeySpec Filters access to an API operation based on the KeySpec property of the AWS KMS key that is created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a KMS key resource String
kms:KeyUsage Filters access to an API operation based on the KeyUsage property of the AWS KMS key created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a KMS key resource String
kms:MacAlgorithm Filters access to the GenerateMac and VerifyMac operations based on the MacAlgorithm parameter in the request String
kms:MessageType Filters access to the Sign and Verify operations based on the value of the MessageType parameter in the request String
kms:MultiRegion Filters access to an API operation based on the MultiRegion property of the AWS KMS key created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a KMS key resource Bool
kms:MultiRegionKeyType Filters access to an API operation based on the MultiRegionKeyType property of the AWS KMS key created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a KMS key resource String
kms:PrimaryRegion Filters access to the UpdatePrimaryRegion operation based on the value of the PrimaryRegion parameter in the request String
kms:ReEncryptOnSameKey Filters access to the ReEncrypt operation when it uses the same AWS KMS key that was used for the Encrypt operation Bool
kms:RecipientAttestation:ImageSha384 Filters access to the API operations based on the image hash in the attestation document in the request String
kms:RecipientAttestation:PCR0 Filters access by the platform configuration register (PCR) 0 in the attestation document. PCR0 is a contiguous measure of the contents of the enclave image file, without the section data String
kms:RecipientAttestation:PCR1 Filters access by the platform configuration register (PCR) 1 in the attestation document. PCR1 is a contiguous measurement of the Linux kernel and bootstrap data String
kms:RecipientAttestation:PCR10 Filters access by the platform configuration register (PCR) 10 in the attestation document in the request. PCR10 is a custom PCR that can be defined by the user for specific use cases String
kms:RecipientAttestation:PCR11 Filters access by the platform configuration register (PCR) 11 in the attestation document in the request. PCR11 is a custom PCR that can be defined by the user for specific use cases String
kms:RecipientAttestation:PCR12 Filters access by the platform configuration register (PCR) 12 in the attestation document in the request. PCR12 is a custom PCR that can be defined by the user for specific use cases String
kms:RecipientAttestation:PCR13 Filters access by the platform configuration register (PCR) 13 in the attestation document in the request. PCR13 is a custom PCR that can be defined by the user for specific use cases String
kms:RecipientAttestation:PCR14 Filters access by the platform configuration register (PCR) 14 in the attestation document in the request. PCR14 is a custom PCR that can be defined by the user for specific use cases String
kms:RecipientAttestation:PCR15 Filters access by the platform configuration register (PCR) 15 in the attestation document in the request. PCR15 is a custom PCR that can be defined by the user for specific use cases String
kms:RecipientAttestation:PCR16 Filters access by the platform configuration register (PCR) 16 in the attestation document in the request. PCR16 is a custom PCR that can be defined by the user for specific use cases String
kms:RecipientAttestation:PCR17 Filters access by the platform configuration register (PCR) 17 in the attestation document in the request. PCR17 is a custom PCR that can be defined by the user for specific use cases String
kms:RecipientAttestation:PCR18 Filters access by the platform configuration register (PCR) 18 in the attestation document in the request. PCR18 is a custom PCR that can be defined by the user for specific use cases String
kms:RecipientAttestation:PCR19 Filters access by the platform configuration register (PCR) 19 in the attestation document in the request. PCR19 is a custom PCR that can be defined by the user for specific use cases String
kms:RecipientAttestation:PCR2 Filters access by the platform configuration register (PCR) 2 in the attestation document. PCR2 is a contiguous, in-order measurement of the user applications, without the boot ramfs String
kms:RecipientAttestation:PCR20 Filters access by the platform configuration register (PCR) 20 in the attestation document in the request. PCR20 is a custom PCR that can be defined by the user for specific use cases String
kms:RecipientAttestation:PCR21 Filters access by the platform configuration register (PCR) 21 in the attestation document in the request. PCR21 is a custom PCR that can be defined by the user for specific use cases String
kms:RecipientAttestation:PCR22 Filters access by the platform configuration register (PCR) 22 in the attestation document in the request. PCR22 is a custom PCR that can be defined by the user for specific use cases String
kms:RecipientAttestation:PCR23 Filters access by the platform configuration register (PCR) 23 in the attestation document in the request. PCR23 is a custom PCR that can be defined by the user for specific use cases String
kms:RecipientAttestation:PCR24 Filters access by the platform configuration register (PCR) 24 in the attestation document in the request. PCR24 is a custom PCR that can be defined by the user for specific use cases String
kms:RecipientAttestation:PCR25 Filters access by the platform configuration register (PCR) 25 in the attestation document in the request. PCR25 is a custom PCR that can be defined by the user for specific use cases String
kms:RecipientAttestation:PCR26 Filters access by the platform configuration register (PCR) 26 in the attestation document in the request. PCR26 is a custom PCR that can be defined by the user for specific use cases String
kms:RecipientAttestation:PCR27 Filters access by the platform configuration register (PCR) 27 in the attestation document in the request. PCR27 is a custom PCR that can be defined by the user for specific use cases String
kms:RecipientAttestation:PCR28 Filters access by the platform configuration register (PCR) 28 in the attestation document in the request. PCR28 is a custom PCR that can be defined by the user for specific use cases String
kms:RecipientAttestation:PCR29 Filters access by the platform configuration register (PCR) 29 in the attestation document in the request. PCR29 is a custom PCR that can be defined by the user for specific use cases String
kms:RecipientAttestation:PCR3 Filters access by the platform configuration register (PCR) 3 in the attestation document. PCR3 is a contiguous measurement of the IAM role assigned to the parent instance String
kms:RecipientAttestation:PCR30 Filters access by the platform configuration register (PCR) 30 in the attestation document in the request. PCR30 is a custom PCR that can be defined by the user for specific use cases String
kms:RecipientAttestation:PCR31 Filters access by the platform configuration register (PCR) 31 in the attestation document in the request. PCR31 is a custom PCR that can be defined by the user for specific use cases String
kms:RecipientAttestation:PCR4 Filters access by the platform configuration register (PCR) 4 in the attestation document. PCR4 is a contiguous measurement of the ID of the parent instance String
kms:RecipientAttestation:PCR5 Filters access by the platform configuration register (PCR) 5 in the attestation document in the request. PCR5 is a custom PCR that can be defined by the user for specific use cases String
kms:RecipientAttestation:PCR6 Filters access by the platform configuration register (PCR) 6 in the attestation document in the request. PCR6 is a custom PCR that can be defined by the user for specific use cases String
kms:RecipientAttestation:PCR7 Filters access by platform configuration register (PCR) 7 in the attestation document in the request. PCR7 is a custom PCR that can be defined by the user for specific use cases String
kms:RecipientAttestation:PCR8 Filters access by the platform configuration register (PCR) 8 in the attestation document. PCR8 is a measure of the signing certificate specified for the enclave image file String
kms:RecipientAttestation:PCR9 Filters access by the platform configuration register (PCR) 9 in the attestation document in the request. PCR9 is a custom PCR that can be defined by the user for specific use cases String
kms:ReplicaRegion Filters access to the ReplicateKey operation based on the value of the ReplicaRegion parameter in the request String
kms:RequestAlias Filters access to cryptographic operations, DescribeKey, and GetPublicKey based on the alias in the request String
kms:ResourceAliases Filters access to specified AWS KMS operations based on aliases associated with the AWS KMS key ArrayOfString
kms:RetiringPrincipal Filters access to the CreateGrant operation based on the retiring principal in the grant String
kms:RotationPeriodInDays Filters access to the EnableKeyRotation operation based on the value of the RotationPeriodInDays parameter in the request Numeric
kms:ScheduleKeyDeletionPendingWindowInDays Filters access to the ScheduleKeyDeletion operation based on the value of the PendingWindowInDays parameter in the request Numeric
kms:SigningAlgorithm Filters access to the Sign and Verify operations based on the signing algorithm in the request String
kms:ValidTo Filters access to the ImportKeyMaterial operation based on the value of the ValidTo parameter in the request. You can use this condition key to allow users to import key material only when it expires by the specified date Date
kms:ViaService Filters access when a request made on the principal's behalf comes from a specified AWS service String
kms:WrappingAlgorithm Filters access to the GetParametersForImport operation based on the value of the WrappingAlgorithm parameter in the request String
kms:WrappingKeySpec Filters access to the GetParametersForImport operation based on the value of the WrappingKeySpec parameter in the request String
PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.