Permissions required to use the Amazon KMS console
To work with the Amazon KMS console, users must have a minimum set of permissions that allow them to work with the Amazon KMS resources in their Amazon Web Services account. In addition to these Amazon KMS permissions, users must also have permissions to list IAM users and IAM roles. If you create an IAM policy that is more restrictive than the minimum required permissions, the Amazon KMS console won't function as intended for users with that IAM policy.
For the minimum permissions required to allow a user read-only access to the Amazon KMS console, see Allow a user to view KMS keys in the Amazon KMS console.
To allow users to work with the Amazon KMS console to create and manage KMS keys, attach the AWSKeyManagementServicePowerUser managed policy to the user, as described in the following section.
You don't need to allow minimum console permissions for users that are working with the
Amazon KMS API through the Amazon SDKs