# Authorizing Amazon KMS to manage Amazon CloudHSM and Amazon EC2 resources
<a name="authorize-kms"></a>

To support your Amazon CloudHSM key stores, Amazon KMS needs permission to get information about your Amazon CloudHSM clusters. It also needs permission to create the network infrastructure that connects your Amazon CloudHSM key store to its Amazon CloudHSM cluster. To get these permissions, Amazon KMS creates the **AWSServiceRoleForKeyManagementServiceCustomKeyStores** service-linked role in your Amazon Web Services account. Users who create Amazon CloudHSM key stores must have the `iam:CreateServiceLinkedRole` permission that allows them to create service-linked roles.

To view details about updates to the **AWSKeyManagementServiceCustomKeyStoresServiceRolePolicy** managed policy, see [Amazon KMS updates to Amazon managed policies](security-iam-awsmanpol.md#security-iam-awsmanpol-updates).

**Topics**
+ [About the Amazon KMS service-linked role](#about-key-store-slr)
+ [Create the service-linked role](#create-key-store-slr)
+ [Edit the service-linked role description](#edit-key-store-slr)
+ [Delete the service-linked role](#delete-key-store-slr)

## About the Amazon KMS service-linked role
<a name="about-key-store-slr"></a>

A [service-linked role](https://docs.amazonaws.cn/IAM/latest/UserGuide/using-service-linked-roles.html) is an IAM role that gives one Amazon service permission to call other Amazon services on your behalf. It's designed to make it easier for you to use the features of multiple integrated Amazon services without having to create and maintain complex IAM policies. For more information, see [Using service-linked roles for Amazon KMS](using-service-linked-roles.md).

For Amazon CloudHSM key stores, Amazon KMS creates the **AWSServiceRoleForKeyManagementServiceCustomKeyStores** service-linked role with the **AWSKeyManagementServiceCustomKeyStoresServiceRolePolicy** managed policy. This policy grants the role the following permissions:
+ [cloudhsm:Describe\$1](https://docs.amazonaws.cn/cloudhsm/latest/APIReference/API_DescribeClusters.html) – detects changes in the Amazon CloudHSM cluster that is attached to your custom key store.
+ [ec2:CreateSecurityGroup](https://docs.amazonaws.cn/AWSEC2/latest/APIReference/API_CreateSecurityGroup.html) – used when you [connect an Amazon CloudHSM key store](connect-keystore.md) to create the security group that enables network traffic flow between Amazon KMS and your Amazon CloudHSM cluster.
+ [ec2:AuthorizeSecurityGroupIngress](https://docs.amazonaws.cn/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html) – used when you [connect an Amazon CloudHSM key store](connect-keystore.md) to allow network access from Amazon KMS into the VPC that contains your Amazon CloudHSM cluster.
+ [ec2:CreateNetworkInterface](https://docs.amazonaws.cn/AWSEC2/latest/APIReference/API_CreateNetworkInterface.html) – used when you [connect an Amazon CloudHSM key store](connect-keystore.md) to create the network interface used for communication between Amazon KMS and the Amazon CloudHSM cluster.
+ [ec2:RevokeSecurityGroupEgress](https://docs.amazonaws.cn/AWSEC2/latest/APIReference/API_RevokeSecurityGroupEgress.html) – used when you [connect an Amazon CloudHSM key store](connect-keystore.md) to remove all outbound rules from the security group that Amazon KMS created.
+ [ec2:DeleteSecurityGroup](https://docs.amazonaws.cn/AWSEC2/latest/APIReference/API_DeleteSecurityGroup.html) – used when you [disconnect an Amazon CloudHSM key store](disconnect-keystore.md) to delete security groups that were created when you connected the Amazon CloudHSM key store.
+ [ec2:DescribeSecurityGroups](https://docs.amazonaws.cn/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html) – used to monitor changes in the security group that Amazon KMS created in the VPC that contains your Amazon CloudHSM cluster so that Amazon KMS can provide clear error messages in case of failures.
+ [ec2:DescribeVpcs](https://docs.amazonaws.cn/AWSEC2/latest/APIReference/API_DescribeVpcs.html) – used to monitor changes in the VPC that contains your Amazon CloudHSM cluster so that Amazon KMS can provide clear error messages in case of failures.
+ [ec2:DescribeNetworkAcls](https://docs.amazonaws.cn/AWSEC2/latest/APIReference/API_DescribeNetworkAcls.html) – used to monitor changes in the network ACLs for the VPC that contains your Amazon CloudHSM cluster so that Amazon KMS can provide clear error messages in case of failures.
+ [ec2:DescribeNetworkInterfaces](https://docs.amazonaws.cn/AWSEC2/latest/APIReference/API_DescribeNetworkInterfaces.html) – used to monitor changes in the network interfaces that Amazon KMS created in the VPC that contains your Amazon CloudHSM cluster so that Amazon KMS can provide clear error messages in case of failures.

------
#### [ JSON ]

****  

```
{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cloudhsm:Describe*",
        "ec2:CreateNetworkInterface",
        "ec2:AuthorizeSecurityGroupIngress",
        "ec2:CreateSecurityGroup",
        "ec2:DescribeSecurityGroups",
        "ec2:RevokeSecurityGroupEgress",
        "ec2:DeleteSecurityGroup",
        "ec2:DescribeVpcs",
        "ec2:DescribeNetworkAcls",
        "ec2:DescribeNetworkInterfaces"
      ],
      "Resource": "*"
    }
  ]
}
```

------

Because the **AWSServiceRoleForKeyManagementServiceCustomKeyStores** service-linked role trusts only `cks.kms.amazonaws.com`, only Amazon KMS can assume this service-linked role. This role is limited to the operations that Amazon KMS needs to view your Amazon CloudHSM clusters and to connect an Amazon CloudHSM key store to its associated Amazon CloudHSM cluster. It does not give Amazon KMS any additional permissions. For example, Amazon KMS does not have permission to create, manage, or delete your Amazon CloudHSM clusters, HSMs, or backups.

**Regions**

Like the Amazon CloudHSM key stores feature, the **AWSServiceRoleForKeyManagementServiceCustomKeyStores** role is supported in all Amazon Web Services Regions where Amazon KMS and Amazon CloudHSM are available. For a list of Amazon Web Services Regions that each service supports, see [Amazon Key Management Service Endpoints and Quotas](https://docs.amazonaws.cn/general/latest/gr/kms.html) and [Amazon CloudHSM endpoints and quotas](https://docs.amazonaws.cn/general/latest/gr/cloudhsm.html) in the *Amazon Web Services General Reference*.

For more information about how Amazon services use service-linked roles, see [Using service-linked roles](https://docs.amazonaws.cn/IAM/latest/UserGuide/using-service-linked-roles.html) in the IAM User Guide.

## Create the service-linked role
<a name="create-key-store-slr"></a>

Amazon KMS automatically creates the **AWSServiceRoleForKeyManagementServiceCustomKeyStores** service-linked role in your Amazon Web Services account when you create an Amazon CloudHSM key store, if the role does not already exist. You cannot create or re-create this service-linked role directly. 

## Edit the service-linked role description
<a name="edit-key-store-slr"></a>

You cannot edit the role name or the policy statements in the **AWSServiceRoleForKeyManagementServiceCustomKeyStores** service-linked role, but you can edit role description. For instructions, see [Editing a service-linked role](https://docs.amazonaws.cn/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*.

## Delete the service-linked role
<a name="delete-key-store-slr"></a>

Amazon KMS does not delete the **AWSServiceRoleForKeyManagementServiceCustomKeyStores** service-linked role from your Amazon Web Services account even if you have [deleted all of your Amazon CloudHSM key stores](delete-keystore.md). Although there is currently no procedure for deleting the **AWSServiceRoleForKeyManagementServiceCustomKeyStores** service-linked role, Amazon KMS does not assume this role or use its permissions unless you have active Amazon CloudHSM key stores.