AWS KMS and IAM Policies - AWS Key Management Service Best Practices

AWS KMS and IAM Policies

You can use AWS Identity and Access Management (IAM) policies in combination with key policies to control access to your customer master keys (CMKs) in AWS KMS. This section discusses using IAM in the context of AWS KMS. It doesn’t provide detailed information about the IAM service. For complete IAM documentation, see the AWS IAM User Guide.

Policies attached to IAM identities (that is, users, groups, and roles) are called identity-based policies (or IAM policies). Policies attached to resources outside of IAM are called resource-based policies. In AWS KMS, you must attach resource-based policies to your customer master keys (CMKs). These are called key policies. All KMS CMKs have a key policy, and you must use it to control access to a CMK. IAM policies by themselves are not sufficient to allow access to a CMK, although you can use them in combination with a CMK key policy. To do so, ensure that the CMK key policy includes the policy statement that enables IAM policies.

By using an identity-based IAM policy, you can enforce least privilege by granting granular access to KMS API calls within an AWS account. Remember, IAM policies are based on a policy of default-denied unless you explicitly grant permission to a principal to perform an action.