# iam-inline-policy-blocked-kms-actions
<a name="iam-inline-policy-blocked-kms-actions"></a>

Checks if the inline policies attached to your IAM users, roles, and groups do not allow blocked actions on all Amazon KMS keys. The rule is NON\$1COMPLIANT if any blocked action is allowed on all Amazon KMS keys in an inline policy. 



**Identifier:** IAM\$1INLINE\$1POLICY\$1BLOCKED\$1KMS\$1ACTIONS

**Resource Types:** AWS::IAM::Group, AWS::IAM::Role, AWS::IAM::User

**Trigger type:** Configuration changes

**Amazon Web Services Region:** All supported Amazon regions except Asia Pacific (New Zealand), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (Melbourne), Mexico (Central), Israel (Tel Aviv), Asia Pacific (Taipei), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

**Parameters:**

blockedActionsPatternsType: CSV  
Comma-separated list of blocked KMS action patterns, for example, kms:\$1, kms:Decrypt, kms:ReEncrypt\$1.

excludeRoleByManagementAccount (Optional)Type: boolean  
Exclude a role if it is only assumable by organization management account.

## Amazon CloudFormation template
<a name="w2aac20c16c17b7d917c19"></a>

To create Amazon Config managed rules with Amazon CloudFormation templates, see [Creating Amazon Config Managed Rules With Amazon CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).