Actions, resources, and condition keys for AWS Key Management Service
AWS Key Management Service (service prefix: kms
) provides the following service-specific resources, actions, and condition context
keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by AWS Key Management Service
You can specify the following actions in the Action
element of an IAM policy statement. Use policies to grant permissions to perform
an operation in AWS. When you use an action in a policy, you usually allow or
deny access to the API operation or CLI command with the same name. However,
in some cases, a single action controls access to more than one operation. Alternatively,
some operations require several different actions.
The Resource types column indicates whether each action supports resource-level permissions. If
there is no value for this column, you must specify all resources ("*") in the
Resource
element of your policy statement. If the column includes a resource type, then
you can specify an ARN of that type in a statement with that action. Required
resources are indicated in the table with an asterisk (*). If you specify a resource-level
permission ARN in a statement using this action, then it must be of this type.
Some actions support multiple resource types. If the resource type is optional (not
indicated as required), then you can choose to use one but not the other.
For details about the columns in the following table, see The actions table.
Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
---|---|---|---|---|---|
CancelKeyDeletion | Controls permission to cancel the scheduled deletion of a customer master key | Write | |||
ConnectCustomKeyStore | Controls permission to connect or reconnect a custom key store to its associated AWS CloudHSM cluster | Write | |||
CreateAlias | Controls permission to create an alias for a customer master key (CMK). Aliases are optional friendly names that you can associate with customer master keys | Write | |||
CreateCustomKeyStore | Controls permission to create a custom key store that is associated with an AWS CloudHSM cluster that you own and manage | Write |
cloudhsm:DescribeClusters |
||
CreateGrant | Controls permission to add a grant to a customer master key. You can use grants to add permissions without changing the key policy or IAM policy | Permissions management | |||
CreateKey | Controls permission to create a customer master key that can be used to protect data keys and other sensitive information | Write | |||
Decrypt | Controls permission to decrypt ciphertext that was encrypted under a customer master key | Write | |||
DeleteAlias | Controls permission to delete an alias. Aliases are optional friendly names that you can associate with customer master keys | Write | |||
DeleteCustomKeyStore | Controls permission to delete a custom key store | Write | |||
DeleteImportedKeyMaterial | Controls permission to delete cryptographic material that you imported into a customer master key. This action makes the key unusable | Write | |||
DescribeCustomKeyStores | Controls permission to view detailed information about custom key stores in the account and region | Read | |||
DescribeKey | Controls permission to view detailed information about a customer master key | Read | |||
DisableKey | Controls permission to disable a customer master key, which prevents it from being used in cryptographic operations | Write | |||
DisableKeyRotation | Controls permission to disable automatic rotation of a customer managed customer master key | Write | |||
DisconnectCustomKeyStore | Controls permission to disconnect the custom key store from its associated AWS CloudHSM cluster | Write | |||
EnableKey | Controls permission to change the state of a customer master key (CMK) to enabled. This allows the CMK to be used in cryptographic operations | Write | |||
EnableKeyRotation | Controls permission to enable automatic rotation of the cryptographic material in a customer master key | Write | |||
Encrypt | Controls permission to use the specified customer master key to encrypt data and data keys | Write | |||
GenerateDataKey | Controls permission to use the customer master key to generate data keys. You can use the data keys to encrypt data outside of AWS KMS | Write | |||
GenerateDataKeyPair | Controls permission to use the customer master key to generate data key pairs | Write | |||
GenerateDataKeyPairWithoutPlaintext | Controls permission to use the customer master key to generate data key pairs. Unlike the GenerateDataKeyPair operation, this operation returns an encrypted private key without a plaintext copy | Write | |||
GenerateDataKeyWithoutPlaintext | Controls permission to use the customer master key to generate a data key. Unlike the GenerateDataKey operation, this operation returns an encrypted data key without a plaintext version of the data key | Write | |||
GenerateRandom | Controls permission to get a cryptographically secure random byte string from AWS KMS | Write | |||
GetKeyPolicy | Controls permission to view the key policy for the specified customer master key | Read | |||
GetKeyRotationStatus | Controls permission to determine whether automatic key rotation is enabled on the customer master key | Read | |||
GetParametersForImport | Controls permission to get data that is required to import cryptographic material into a customer managed key, including a public key and import token | Read | |||
GetPublicKey | Controls permission to download the public key of an asymmetric customer master key | Read | |||
ImportKeyMaterial | Controls permission to import cryptographic material into a customer master key | Write | |||
ListAliases | Controls permission to view the aliases that are defined in the account. Aliases are optional friendly names that you can associate with customer master keys | List | |||
ListGrants | Controls permission to view all grants for a customer master key | List | |||
ListKeyPolicies | Controls permission to view the names of key policies for a customer master key | List | |||
ListKeys | Controls permission to view the key ID and Amazon Resource Name (ARN) of all customer master keys in the account | List | |||
ListResourceTags | Controls permission to view all tags that are attached to a customer master key | List | |||
ListRetirableGrants | Controls permission to view grants in which the specified principal is the retiring principal. Other principals might be able to retire the grant and this principal might be able to retire other grants | List | |||
PutKeyPolicy | Controls permission to replace the key policy for the specified customer master key | Permissions management | |||
ReEncryptFrom | Controls permission to decrypt data as part of the process that decrypts and reencrypts the data within AWS KMS | Write | |||
ReEncryptTo | Controls permission to encrypt data as part of the process that decrypts and reencrypts the data within AWS KMS | Write | |||
RetireGrant | Controls permission to retire a grant. The RetireGrant operation is typically called by the grant user after they complete the tasks that the grant allowed them to perform | Permissions management | |||
RevokeGrant | Controls permission to revoke a grant, which denies permission for all operations that depend on the grant | Permissions management | |||
ScheduleKeyDeletion | Controls permission to schedule deletion of a customer master key | Write | |||
Sign | Controls permission to produce a digital signature for a message | Write | |||
TagResource | Controls permission to create or update tags that are attached to a customer master key | Tagging | |||
UntagResource | Controls permission to delete tags that are attached to a customer master key | Tagging | |||
UpdateAlias | Controls permission to associate an alias with a different customer master key. An alias is an optional friendly name that you can associate with a customer master key | Write | |||
UpdateCustomKeyStore | Controls permission to change the properties of a custom key store | Write | |||
UpdateKeyDescription | Controls permission to delete or change the description of a customer master key | Write | |||
Verify | Controls permission to use the specified customer master key to verify digital signatures | Write | |||
Resource types defined by AWS Key Management Service
The following resource types are defined by this service and can be used in the
Resource
element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource
type can also define which condition keys you can include in a policy. These
keys are displayed in the last column of the table. For details about the columns
in the following table, see The resource types table.
Condition keys for AWS Key Management Service
AWS Key Management Service defines the following condition keys that can be used in
the Condition
element of an IAM policy. You can use these keys to further refine the conditions
under which the policy statement applies. For details about the columns in the
following table, see The condition keys table.
To view the global condition keys that are available to all services, see Available global condition keys.
Condition keys | Description | Type |
---|---|---|
aws:ResourceTag/${TagKey} | Filters access to the specified AWS KMS operations based on tags assigned to the customer master key | String |
kms:BypassPolicyLockoutSafetyCheck | Filters access to the CreateKey and PutKeyPolicy operations based on the value of the BypassPolicyLockoutSafetyCheck parameter in the request | Bool |
kms:CallerAccount | Filters access to specified AWS KMS operations based on the AWS account ID of the caller. You can use this condition key to allow or deny access to all IAM users and roles in an AWS account in a single policy statement | String |
kms:CustomerMasterKeySpec | Filters access to an API operation based on the CustomerMasterKeySpec property of the CMK that is created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a CMK resource | String |
kms:CustomerMasterKeyUsage | Filters access to an API operation based on the KeyUsage property of the CMK created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a CMK resource | String |
kms:DataKeyPairSpec | Filters access to GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext operations based on the value of the DataKeyPairSpec parameter in the request | String |
kms:EncryptionAlgorithm | Filters access to encryption operations based on the value of the encryption algorithm in the request | String |
kms:EncryptionContextKeys | Filters access based on the presence of specified keys in the encryption context. The encryption context is an optional element in a cryptographic operation | String |
kms:ExpirationModel | Filters access to the ImportKeyMaterial operation based on the value of the ExpirationModel parameter in the request | String |
kms:GrantConstraintType | Filters access to the CreateGrant operation based on the grant constraint in the request | String |
kms:GrantIsForAWSResource | Filters access to the CreateGrant operation when the request comes from a specified AWS service | Bool |
kms:GrantOperations | Filters access to the CreateGrant operation based on the operations in the grant | String |
kms:GranteePrincipal | Filters access to the CreateGrant operation based on the grantee principal in the grant | String |
kms:KeyOrigin | Filters access to an API operation based on the Origin property of the CMK created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a CMK resource | String |
kms:MessageType | Filters access to the Sign and Verify operations based on the value of the MessageType parameter in the request | String |
kms:ReEncryptOnSameKey | Filters access to the ReEncrypt operation when it uses the same customer master key that was used for the Encrypt operation | Bool |
kms:RequestAlias | Filters access to cryptographic operations, DescribeKey, and GetPublicKey based on the alias in the request | String |
kms:ResourceAliases | Filters access to specified AWS KMS operations based on aliases associated with the customer master key | String |
kms:RetiringPrincipal | Filters access to the CreateGrant operation based on the retiring principal in the grant | String |
kms:SigningAlgorithm | Filters access to the Sign and Verify operations based on the signing algorithm in the request | String |
kms:ValidTo | Filters access to the ImportKeyMaterial operation based on the value of the ValidTo parameter in the request. You can use this condition key to allow users to import key material only when it expires by the specified date | Numeric |
kms:ViaService | Filters access when a request made on the principal's behalf comes from a specified AWS service | String |
kms:WrappingAlgorithm | Filters access to the GetParametersForImport operation based on the value of the WrappingAlgorithm parameter in the request | String |
kms:WrappingKeySpec | Filters access to the GetParametersForImport operation based on the value of the WrappingKeySpec parameter in the request | String |