Permissions required to use the Amazon KMS console - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Permissions required to use the Amazon KMS console

To work with the Amazon KMS console, users must have a minimum set of permissions that allow them to work with the Amazon KMS resources in their Amazon Web Services account. In addition to these Amazon KMS permissions, users must also have permissions to list IAM users and IAM roles. If you create an IAM policy that is more restrictive than the minimum required permissions, the Amazon KMS console won't function as intended for users with that IAM policy.

For the minimum permissions required to allow a user read-only access to the Amazon KMS console, see Allow a user to view KMS keys in the Amazon KMS console.

To allow users to work with the Amazon KMS console to create and manage KMS keys, attach the AWSKeyManagementServicePowerUser managed policy to the user, as described in the following section.

You don't need to allow minimum console permissions for users that are working with the Amazon KMS API through the Amazon SDKs, Amazon Command Line Interface or Amazon Tools for PowerShell. However, you do need to grant these users permission to use the API. For more information, see Permissions reference.