CMK Grants - AWS Key Management Service Best Practices

CMK Grants

Key policy changes follow the same permissions model used for policy editing elsewhere in AWS. That is, users either have permission to change the key policy or they do not. Users with the PutKeyPolicy permission for a CMK can completely replace the key policy for a CMK with a different key policy of their choice. You can use key policies to allow other principals to access a CMK, but key policies work best for relatively static assignments of permissions. To enable more granular permissions management, you can use grants. Grants are useful when you want to define scoped-down, temporary permissions for other principals to use your CMK on your behalf in the absence of a direct API call from you.

It’s important to be aware of the grants per key and grants for a principal per key limits when you design applications that use grants to control access to keys. Ensure that the retiring principal retires a grant after it’s used to avoid hitting these limits.