# Amazon global condition keys
Amazon defines [global condition keys](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#AvailableKeys), a set of policy conditions keys for all Amazon services that use IAM for access control. Amazon KMS supports all global condition keys. You can use them in Amazon KMS key policies and IAM policies.
For example, you can use the [aws:PrincipalArn](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-principalarn) global condition key to allow access to an Amazon KMS key (KMS key) only when the principal in the request is represented by the Amazon Resource Name (ARN) in the condition key value. To support [attribute-based access control](abac.md) (ABAC) in Amazon KMS, you can use the [aws:ResourceTag/*tag-key*](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) global condition key in an IAM policy to allow access to KMS keys with a particular tag.
To help prevent an Amazon service from being used as a confused deputy in a policy where the principal is an [Amazon service principal](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services), you can use the [https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn) or [https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount) global condition keys. For details, see [Using `aws:SourceArn` or `aws:SourceAccount` condition keys](least-privilege.md#least-privilege-source-arn).
For information about Amazon global condition keys, including the types of requests in which they are available, see [Amazon Global Condition Context Keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) in the *IAM User Guide*. For examples of using global condition keys in IAM policies, see [Controlling Access to Requests](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_tags.html#access_tags_control-requests) and [Controlling Tag Keys](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_tags.html#access_tags_control-tag-keys) in the *IAM User Guide*.
The following topics provide special guidance for using condition keys based on IP addresses and VPC endpoints.
**Topics**
+ [Using the IP address condition in policies with Amazon KMS permissions](#conditions-aws-ip-address)
+ [Using VPC endpoint conditions in policies with Amazon KMS permissions](#conditions-aws-vpce)
+ [Using IPv6 addresses in IAM and Amazon KMS key policies](#KMS-IPv6-policies)
## Using the IP address condition in policies with Amazon KMS permissions
You can use Amazon KMS to protect your data in an [integrated Amazon service](service-integration.md). But use caution when specifying the [IP address condition operators](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_IPAddress) or the `aws:SourceIp` condition key in the same policy statement that allows or denies access to Amazon KMS. For example, the policy in [Amazon: Denies Access to Amazon Based on the Source IP](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_examples_aws_deny-ip.html) restricts Amazon actions to requests from the specified IP range.
Consider this scenario:
1. You attach a policy like the one shown at [Amazon: Denies Access to Amazon Based on the Source IP](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_examples_aws_deny-ip.html) to an IAM identity. You set the value of the `aws:SourceIp` condition key to the range of IP addresses for the user's company. This IAM identity has other policies attached that allow it to use Amazon EBS, Amazon EC2, and Amazon KMS.
1. The identity attempts to attach an encrypted EBS volume to an EC2 instance. This action fails with an authorization error even though the user has permission to use all the relevant services.
Step 2 fails because the request to Amazon KMS to decrypt the volume's encrypted data key comes from an IP address that is associated with the Amazon EC2 infrastructure. To succeed, the request must come from the IP address of the originating user. Because the policy in step 1 explicitly denies all requests from IP addresses other than those specified, Amazon EC2 is denied permission to decrypt the EBS volume's encrypted data key.
Also, the `aws:SourceIP` condition key is not effective when the request comes from an [Amazon VPC endpoint](https://docs.amazonaws.cn/vpc/latest/userguide/vpc-endpoints.html). To restrict requests to a VPC endpoint, including an [Amazon KMS VPC endpoint](kms-vpc-endpoint.md), use the `aws:SourceVpce` or `aws:SourceVpc` condition keys. For more information, see [VPC Endpoints - Controlling the Use of Endpoints](https://docs.amazonaws.cn/vpc/latest/userguide/vpc-endpoints.html#vpc-endpoints-iam-access) in the *Amazon VPC User Guide*.
## Using VPC endpoint conditions in policies with Amazon KMS permissions
[Amazon KMS supports Amazon Virtual Private Cloud (Amazon VPC) endpoints](kms-vpc-endpoint.md) that are powered by [Amazon PrivateLink](https://docs.amazonaws.cn/vpc/latest/userguide/VPC_Introduction.html#what-is-privatelink). You can use the following [global condition keys](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#AvailableKeys) in key policies and IAM policies to control access to Amazon KMS resources when the request comes from a VPC or uses a VPC endpoint. For details, see [Use VPC endpoints to control access to Amazon KMS resources](vpce-policy-condition.md).
+ `aws:SourceVpc` limits access to requests from the specified VPC.
+ `aws:SourceVpce` limits access to requests from the specified VPC endpoint.
If you use these condition keys to control access to KMS keys, you might inadvertently deny access to Amazon services that use Amazon KMS on your behalf.
Take care to avoid a situation like the [IP address condition keys](#conditions-aws-ip-address) example. If you restrict requests for a KMS key to a VPC or VPC endpoint, calls to Amazon KMS from an integrated service, such as Amazon S3 or Amazon EBS, might fail. This can happen even if the source request ultimately originates in the VPC or from the VPC endpoint.
## Using IPv6 addresses in IAM and Amazon KMS key policies
Before trying to access Amazon KMS over IPv6, ensure any key and IAM policies containing IP address restrictions are updated to include IPv6 address ranges. IP based policies that are not updated to handle IPv6 addresses may result in clients incorrectly losing or gaining access when they start using IPv6. For general guidance on KMS access controls, see [KMS key access and permissions](control-access.md). To learn about KMS and dual stack support, see [Dual-stack endpoint support](ipv6-kms.md).
**Important**
These statements do not allow any actions. Use these statements in combination with other statements that allow specific actions.
The following statement explicitly denies access to all KMS permissions for requests originating from the `192.0.2.*` range of IPv4 addresses. Any IP addresses outside of this range are not explicitly denied KMS permissions. Since all IPv6 addresses are outside of the denied range, this statement does not explicitly deny KMS permissions for any IPv6 addresses.
```
{
"Sid": "DenyKMSPermissions",
"Effect": "Deny",
"Action": [
"kms:*"
],
"Resource": "*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"{{192.0.2.0/24}}"
]
}
}
}
```
You can modify the `Condition` element to deny both IPv4 (`192.0.2.0/24`) and IPv6 (`2001:db8:1234::/32`) address ranges as shown in the following example.
```
{
"Sid": "DenyKMSPermissions",
"Effect": "Deny",
"Action": [
"kms:*"
],
"Resource": "*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"{{192.0.2.0/24}}",
"{{2001:db8:1234::/32}}"
]
}
}
}
```