Baseline KMS key and IAM policy statements
Note
Customer managed KMS keys for AWS IAM Identity Center are currently available in select AWS Regions.
The baseline KMS key and identity-based policies provided here serve as a foundation for common requirements. We also recommend that you review Advanced KMS key policy statements that provide more granular access controls, such as ensuring the KMS key is accessible only to a specific IAM Identity Center instance or AWS managed application. Before using advanced KMS key policy statements, review the Considerations for choosing baseline vs. advanced KMS key policy statements.
The following sections provide baseline policy statements for each use case. Copy the KMS key policy statements that match your use cases, then return to Step 2: Prepare KMS key policy statements.
Baseline KMS key policy statements for use of IAM Identity Center (required)
Use the following KMS key policy statement template in Step 2: Prepare KMS key policy statements to allow IAM Identity Center, its associated Identity Store, and IAM Identity Center administrators to use the KMS key.
-
Specify your IAM Identity Center administrators' IAM principals in the Principal element. For more information about IAM principals, see Specifying a principal in the IAM User Guide.
Identity Store has its own service principal,
identitystore.amazonaws.com, which must be allowed to use the KMS key.These policy statements allow any of your IAM Identity Center instances to use the KMS key. To restrict access to a specific IAM Identity Center instance, see Advanced KMS key policy statements.
KMS key policy statements
{ "Version": "2012-10-17", "Statement": [{ "Sid": "AllowIAMIdentityCenterAdminToUseTheKMSKeyViaIdentityCenter", "Effect": "Allow", "Principal": { "AWS": "${Admin_IAM_principal}" }, "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKeyWithoutPlaintext" ], "Resource": "*", "Condition": { "StringLike": { "kms:EncryptionContext:aws:sso:instance-arn": "*", "kms:ViaService": "sso.*.amazonaws.com" } } }, { "Sid": "AllowIAMIdentityCenterAdminToUseTheKMSKeyViaIdentityStore", "Effect": "Allow", "Principal": { "AWS": "${Admin_IAM_principal}" }, "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKeyWithoutPlaintext" ], "Resource": "*", "Condition": { "StringLike": { "kms:EncryptionContext:aws:identitystore:identitystore-arn": "*", "kms:ViaService": "identitystore.*.amazonaws.com" } } }, { "Sid": "AllowIAMIdentityCenterAdminToDescribeTheKMSKey", "Effect": "Allow", "Principal": { "AWS": "${Admin_IAM_principal}" }, "Action": "kms:DescribeKey", "Resource": "*" }, { "Sid": "AllowIAMIdentityCenterToUseTheKMSKey", "Effect": "Allow", "Principal": { "Service": "sso.amazonaws.com" }, "Action": [ "kms:Decrypt", "kms:ReEncryptTo", "kms:ReEncryptFrom", "kms:GenerateDataKeyWithoutPlaintext" ], "Resource": "*", "Condition": { "StringLike": { "kms:EncryptionContext:aws:sso:instance-arn": "*" } } }, { "Sid": "AllowIAMIdentityStoreToUseTheKMSKey", "Effect": "Allow", "Principal": { "Service": "identitystore.amazonaws.com" }, "Action": [ "kms:Decrypt", "kms:ReEncryptTo", "kms:ReEncryptFrom", "kms:GenerateDataKeyWithoutPlaintext" ], "Resource": "*", "Condition": { "StringLike": { "kms:EncryptionContext:aws:identitystore:identitystore-arn": "*" } } }, { "Sid": "AllowIAMIdentityCenterAndIdentityStoreToDescribeKMSKey", "Effect": "Allow", "Principal": { "Service": [ "identitystore.amazonaws.com", "sso.amazonaws.com" ] }, "Action": "kms:DescribeKey", "Resource": "*" } ] }
Use the following IAM policy statement template in Step 4: Configure IAM policies for cross-account use of the KMS key to allow IAM Identity Center administrators to use the KMS key.
Replace the example key ARN in the Resource element with your actual KMS key ARN. For help finding the values of the referenced identifiers, see Find the required identifiers.
IAM Policy statements required for delegated administrators of IAM Identity Center
{ "Version": "2012-10-17", "Statement": [{ "Sid": "IAMPolicyToAllowIAMIdentityCenterAdminToUseKMSkey", "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKeyWithoutPlaintext", "kms:DescribeKey" ], "Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" }, { "Sid": "IAMPolicyToAllowIAMIdentityCenterAdminToListKeyAliases", "Effect": "Allow", "Action": "kms:ListAliases", "Resource": "*" } ] }
Baseline KMS key and IAM policy statements for use of AWS managed applications
Note
Some AWS managed applications cannot be used with IAM Identity Center configured with a customer managed KMS key. For more information, see AWS managed applications that work with IAM Identity Center.
Use the following KMS key policy statement template in Step 2: Prepare KMS key policy statements to allow both AWS managed applications and their administrators to use the KMS key.
Insert your AWS Organizations ID in the PrincipalOrgID condition. For help finding the values of the referenced identifiers, see Find the required identifiers.
These policy statements allow any of your AWS managed applications in the same AWS Organizations to use the KMS key. To restrict these policy statements to specific AWS managed applications, accounts, or IAM Identity Center instances, see Advanced KMS key policy statements.
KMS key policy statements
{ "Version": "2012-10-17", "Statement": [{ "Sid": "AllowAppAdminsInTheSameOrganizationToUseTheKMSKeyViaIdentityCenter", "Effect": "Allow", "Principal": "*", "Action": "kms:Decrypt", "Resource": "*", "Condition": { "StringEquals": { "aws:PrincipalOrgID": "${organization_ID}" }, "StringLike": { "kms:ViaService": "sso.*.amazonaws.com", "kms:EncryptionContext:aws:sso:instance-arn": "*" } } }, { "Sid": "AllowAppAdminsInTheSameOrganizationToUseTheKMSKeyViaIdentityStore", "Effect": "Allow", "Principal": "*", "Action": "kms:Decrypt", "Resource": "*", "Condition": { "StringEquals": { "aws:PrincipalOrgID": "${organization_ID}" }, "StringLike": { "kms:ViaService": "identitystore.*.amazonaws.com", "kms:EncryptionContext:aws:identitystore:identitystore-arn": "*" } } }, { "Sid": "AllowManagedAppsToUseTheKMSKeyViaIdentityCenter", "Effect": "Allow", "Principal": "*", "Action": "kms:Decrypt", "Resource": "*", "Condition": { "StringLike": { "kms:ViaService": "sso.*.amazonaws.com", "kms:EncryptionContext:aws:sso:instance-arn": "*" }, "Bool": { "aws:PrincipalIsAWSService": "true" } } }, { "Sid": "AllowManagedAppsToUseTheKMSKeyViaIdentityStore", "Effect": "Allow", "Principal": "*", "Action": "kms:Decrypt", "Resource": "*", "Condition": { "StringLike": { "kms:ViaService": "identitystore.*.amazonaws.com", "kms:EncryptionContext:aws:identitystore:identitystore-arn": "*" }, "Bool": { "aws:PrincipalIsAWSService": "true" } } } ] }
Use the following IAM policy statement template in Step 4: Configure IAM policies for cross-account use of the KMS key to allow administrators of AWS managed applications to use the KMS key from a member account.
Replace the example ARN in the Resource element with your actual KMS key ARN. For help finding the values of the referenced identifiers, see Find the required identifiers.
Some AWS managed applications require you to configure permissions for IAM Identity Center and Identity Store APIs. Before you configure a customer managed key in your IAM Identity Center, ensure that these permissions also allow use of the KMS key. For specific KMS key permission requirements, see the documentation for each AWS managed application you've deployed.
IAM policy statements required for administrators of AWS managed applications:
{ "Version": "2012-10-17", "Statement": [{ "Sid": "AllowIAMIdentityCenterAdminToUseTheKMSKeyViaIdentityCenterAndIdentityStore", "Effect": "Allow", "Action": "kms:Decrypt", "Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "Condition": { "StringLike": { "kms:ViaService": [ "sso.*.amazonaws.com", "identitystore.*.amazonaws.com" ] } } }] }
Baseline KMS key statement for use of AWS Control Tower
Use the following KMS key statement templates in Step 2: Prepare KMS key policy statements to allow AWS Control Tower administrators to use the KMS key.
Specify the IAM principals used for access to the APIs of IAM Identity Center in the Principal field. For more information about IAM principals, see Specifying a principal in the IAM User Guide.
These policy statements allow AWS Control Tower administrators to use the KMS key through any of your IAM Identity Center instances. However, AWS Control Tower restricts access to the organization instance of IAM Identity Center in the same AWS organization. Because of this restriction, there is no practical benefit to further restricting the KMS key to a specific IAM Identity Center instance as described in Advanced KMS key policy statements.
KMS key policy statement:
{ "Version": "2012-10-17", "Statement": [{ "Sid": "AllowControlTowerAdminRoleToUseTheKMSKeyViaIdentityCenter", "Effect": "Allow", "Principal": { "AWS": "${Control_Tower_Admins}" }, "Action": "kms:Decrypt", "Resource": "*", "Condition": { "StringLike": { "kms:EncryptionContext:aws:sso:instance-arn": "*", "kms:ViaService": "sso.*.amazonaws.com" } } }, { "Sid": "AllowControlTowerAdminRoleToUseTheKMSKeyViaIdentityStore", "Effect": "Allow", "Principal": { "AWS": "${Control_Tower_Admins}" }, "Action": "kms:Decrypt", "Resource": "*", "Condition": { "StringLike": { "kms:ViaService": "identitystore.*.amazonaws.com", "kms:EncryptionContext:aws:identitystore:identitystore-arn": "*" } } } ] }
AWS Control Tower does not support delegated administration and, therefore, you don't need to configure an IAM policy for its administrators.
Baseline KMS key and IAM policy statements for use of IAM Identity Center to Amazon Elastic Compute Cloud Windows instances
Use the following KMS key policy statement template in Step 2: Prepare KMS key policy statements to allow users of single sign-on (SSO) to Amazon EC2 Windows instances to use the KMS key across accounts.
Specify the IAM principals used for access to IAM Identity Center in the Principal field. For more information about IAM principals, see Specifying a principal in the IAM User Guide.
This policy statement allows any of your IAM Identity Center instances to use the KMS key. To restrict access to a specific IAM Identity Center instance, see Policy templates.
KMS key policy statement
{ "Version": "2012-10-17", "Statement": [{ "Sid": "AllowIAMIdentityCenterPermisionSetRoleToUseTheKMSKeyViaIdentityCenter", "Effect": "Allow", "Principal": { "AWS": "${Permission_Set_IAM_Role}" }, "Action": "kms:Decrypt", "Resource": "*", "Condition": { "StringLike": { "kms:EncryptionContext:aws:sso:instance-arn": "*", "kms:ViaService": "sso.*.amazonaws.com" } } }, { "Sid": "AllowIAMIdentityCenterPermisionSetRoleToUseTheKMSKeyViaIdentityStore", "Effect": "Allow", "Principal": { "AWS": "${Permission_Set_IAM_Role}" }, "Action": "kms:Decrypt", "Resource": "*", "Condition": { "StringLike": { "kms:ViaService": "identitystore.*.amazonaws.com", "kms:EncryptionContext:aws:identitystore:identitystore-arn": "*" } } } ] }
Use the following IAM policy statement template in Step 4: Configure IAM policies for cross-account use of the KMS key to allow SSO to EC2 Windows instances to use the KMS key.
Attach the IAM policy statement to the existing permission set in IAM Identity Center that you are using to allow SSO access to Amazon EC2 Windows instances. For IAM policy examples, see Remote Desktop Protocol connections in the AWS Systems Manager User Guide.
Replace the example ARN in the Resource element with your actual KMS key ARN. For help finding the values of the referenced identifiers, see Find the required identifiers.
Permission set IAM policy:
{ "Version": "2012-10-17", "Statement": [{ "Sid": "IAMPolicyToAllowKMSKeyUseViaIdentityCenterAndIdentityStore", "Effect": "Allow", "Action": "kms:Decrypt", "Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "Condition": { "StringLike": { "kms:ViaService": [ "sso.*.amazonaws.com", "identitystore.*.amazonaws.com" ] } } }] }
Baseline KMS key and IAM policy statements for use of custom workflows with IAM Identity Center
Use the following KMS key policy statement templates in Step 2: Prepare KMS key policy statements to allow custom workflows in the AWS Organizations management account or delegated administration account to use the KMS key.
Specify the IAM principals used to access IAM Identity Center APIs in the Principal element. For more information about IAM principals, see Specifying a principal in the IAM User Guide.
These policy statements allow your workflow to use the KMS key through any of your IAM Identity Center instances. To restrict access to a specific IAM Identity Center instance, see Policy templates.
KMS key policy statement:
{ "Version": "2012-10-17", "Statement": [{ "Sid": "AllowCustomWorkflowToUseTheKMSKeyViaIdentityCenter", "Effect": "Allow", "Principal": { "AWS": "${Workflow_IAM_principal}" }, "Action": "kms:Decrypt", "Resource": "*", "Condition": { "StringLike": { "kms:EncryptionContext:aws:sso:instance-arn": "*", "kms:ViaService": "sso.*.amazonaws.com" } } }, { "Sid": "AllowCustomWorkflowToUseTheKMSKeyViaIdentityStore", "Effect": "Allow", "Principal": { "AWS": "${Workflow_IAM_principal}" }, "Action": "kms:Decrypt", "Resource": "*", "Condition": { "StringLike": { "kms:ViaService": "identitystore.*.amazonaws.com", "kms:EncryptionContext:aws:identitystore:identitystore-arn": "*" } } } ] }
Use the following IAM policy statement template in Step 4: Configure IAM policies for cross-account use of the KMS key to allow the IAM principal associated with the custom workflow to use the KMS key across accounts. Add the IAM policy statement to the IAM principal.
Replace the example ARN in the Resource element with your actual KMS key ARN. For help finding the values of the referenced identifiers, see Find the required identifiers.
IAM policy statement (required only for cross-account use):
{ "Version": "2012-10-17", "Statement": [{ "Sid": "AllowIAMIdentityCenterAdminToUseTheKMSKeyViaIdentityCenterAndIdentityStore", "Effect": "Allow", "Action": "kms:Decrypt", "Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "Condition": { "StringLike": { "kms:ViaService": [ "sso.*.amazonaws.com", "identitystore.*.amazonaws.com" ] } } }] }
