Customer managed policy examples - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Customer managed policy examples

In this section, you can find example IAM policies that allow permissions for various Amazon KMS actions.

Important

Some of the permissions in the following policies are allowed only when the KMS key's key policy also allows them. For more information, see Permissions reference.

For help writing and formatting a JSON policy document, see the IAM JSON Policy Reference in the IAM User Guide.

Allow a user to view KMS keys in the Amazon KMS console

The following IAM policy allows users read-only access to the Amazon KMS console. Users with these permissions can view all KMS keys in their Amazon Web Services account, but they cannot create or change any KMS keys.

To view KMS keys on the Amazon managed keys and Customer managed keys pages, principals require kms:ListKeys and kms:ListAliases permissions. The remaining permissions, particularly kms:DescribeKey, are required to view optional KMS key table columns and data on the KMS key detail pages. The iam:ListUsers and iam:ListRoles permissions are required to display the key policy in default view without error. To view data on the Custom key stores page and details about KMS keys in custom key stores, principals also need kms:DescribeCustomKeyStores permission.

If you limit a user's console access to particular KMS keys, the console displays an error for each KMS key that is not visible.

This policy includes of two policy statements. The Resource element in the first policy statement allows the specified permissions on all KMS keys in all Regions of the example Amazon Web Services account. Console viewers don't need additional access because the Amazon KMS console displays only KMS keys in the principal's account. This is true even if they have permission to view KMS keys in other Amazon Web Services accounts. The remaining Amazon KMS and IAM permissions require a "Resource": "*" element because they don't apply to any particular KMS key.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ReadOnlyAccessForAllKMSKeysInAccount", "Effect": "Allow", "Action": [ "kms:GetPublicKey", "kms:GetKeyRotationStatus", "kms:GetKeyPolicy", "kms:DescribeKey", "kms:ListKeyPolicies", "kms:ListResourceTags" ], "Resource": "arn:aws:kms:*:111122223333:key/*" }, { "Sid": "ReadOnlyAccessForOperationsWithNoKMSKey", "Effect": "Allow", "Action": [ "kms:ListKeys", "kms:ListAliases", "iam:ListRoles", "iam:ListUsers" ], "Resource": "*" } ] }

Allow a user to create KMS keys

The following IAM policy allows a user to create KMS keys. The value of the Resource element is * because the CreateKey operation does not use any particular Amazon KMS resources (KMS keys or aliases).

{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "kms:CreateKey", "Resource": "*" } }

Principals who create keys might need some related permissions.

  • kms:PutKeyPolicy — Principals who have kms:CreateKey permission can set the initial key policy for the KMS key. However, the CreateKey caller must have kms:PutKeyPolicy permission, which lets them change the KMS key policy, or they must specify the BypassPolicyLockoutSafetyCheck parameter of CreateKey, which is not recommended. The CreateKey caller can get kms:PutKeyPolicy permission for the KMS key from an IAM policy or they can include this permission in the key policy of the KMS key that they're creating.

  • kms:TagResource — To add tags to the KMS key during the CreateKey operation, the CreateKey caller must have kms:TagResource permission in an IAM policy. Including this permission in the key policy of the new KMS key isn't sufficient. However, if the CreateKey caller includes kms:TagResource in the initial key policy, they can add tags in a separate call after the KMS key is created.

  • kms:CreateAlias — Principals who create a KMS key in the Amazon KMS console must have kms:CreateAlias permission on the KMS key and on the alias. (The console makes two calls; one to CreateKey and one to CreateAlias). You must provide the alias permission in an IAM policy. You can provide the KMS key permission in a key policy or IAM policy. For details, see Controlling access to aliases.

In addition to kms:CreateKey, the following IAM policy provides kms:TagResource permission on all KMS keys in the Amazon Web Services account and kms:CreateAlias permission on all aliases that the account. It also includes some useful read-only permissions that can be provided only in an IAM policy.

This IAM policy does not include kms:PutKeyPolicy permission or any other permissions that can be set in a key policy. It's a best practice to set these permissions in the key policy where they apply exclusively to one KMS key.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "IAMPermissionsForParticularKMSKeys", "Effect": "Allow", "Action": "kms:TagResource", "Resource": "arn:aws:kms:*:111122223333:key/*" }, { "Sid": "IAMPermissionsForParticularAliases", "Effect": "Allow", "Action": "kms:CreateAlias", "Resource": "arn:aws:kms:*:111122223333:alias/*" }, { "Sid": "IAMPermissionsForAllKMSKeys", "Effect": "Allow", "Action": [ "kms:CreateKey", "kms:ListKeys", "kms:ListAliases" ], "Resource": "*" } ] }

Allow a user to encrypt and decrypt with any KMS key in a specific Amazon Web Services account

The following IAM policy allows a user to encrypt and decrypt data with any KMS key in Amazon Web Services account 111122223333.

{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt" ], "Resource": "arn:aws:kms:*:111122223333:key/*" } }

Allow a user to encrypt and decrypt with any KMS key in a specific Amazon Web Services account and Region

The following IAM policy allows a user to encrypt and decrypt data with any KMS key in Amazon Web Services account 111122223333 in the US West (Oregon) Region.

{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt" ], "Resource": [ "arn:aws:kms:us-west-2:111122223333:key/*" ] } }

Allow a user to encrypt and decrypt with specific KMS keys

The following IAM policy allows a user to encrypt and decrypt data with the two KMS keys specified in the Resource element. When specifying a KMS key in an IAM policy statement, you must use the key ARN of the KMS key.

{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt" ], "Resource": [ "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321" ] } }

Prevent a user from disabling or deleting any KMS keys

The following IAM policy prevents a user from disabling or deleting any KMS keys, even when another IAM policy or a key policy allows these permissions. A policy that explicitly denies permissions overrides all other policies, even those that explicitly allow the same permissions. For more information, see Troubleshooting key access.

{ "Version": "2012-10-17", "Statement": { "Effect": "Deny", "Action": [ "kms:DisableKey", "kms:ScheduleKeyDeletion" ], "Resource": "*" } }