Using IAM policies with AWS KMS
You can use IAM policies, along with key policies, grants, and VPC endpoint policies, to control access to your AWS KMS keys in AWS KMS.
Note
To use an IAM policy to control access to a KMS key, the key policy for the KMS key must give the account permission to use IAM policies. Specifically, the key policy must include the policy statement that enables IAM policies.
This section explains how to use IAM policies to control access to AWS KMS operations. For more general information about IAM, see the IAM User Guide.
All KMS keys must have a key policy. IAM policies are optional. To use an IAM policy to control access to a KMS key, the key policy for the KMS key must give the account permission to use IAM policies. Specifically, the key policy must include the policy statement that enables IAM policies.
IAM policies can control access to any AWS KMS operation. Unlike key policies, IAM policies can control access to multiple KMS keys and provide permissions for the operations of several related AWS services. But IAM policies are particularly useful for controlling access to operations, such as CreateKey, that can't be controlled by a key policy because they don't involve any particular KMS key.
If you access AWS KMS through an Amazon Virtual Private Cloud (Amazon VPC) endpoint, you can also use a VPC endpoint policy to limit access to your AWS KMS resources when using the endpoint. For example, when using the VPC endpoint, you might only allow the principals in your AWS account to access your customer managed keys. For details, see Controlling access to a VPC endpoint.
For help writing and formatting a JSON policy document, see the IAM JSON Policy Reference in the IAM User Guide.
Topics
