Controlling access to grants - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Controlling access to grants

You can control access to the operations that create and manage grants in key policies, IAM policies, and in grants. Principals who get CreateGrant permission from a grant have more limited grant permissions.

API operation Key policy or IAM policy Grant
CreateGrant
ListGrants -
ListRetirableGrants -
Retire Grants (Limited. See Retiring and revoking grants)
RevokeGrant -

When you use a key policy or IAM policy to control access to operations that create and manage grants, you can use one or more of the following policy conditions to limit the permission. Amazon KMS supports all of the following grant-related condition keys. For detailed information and examples, see Amazon KMS condition keys.

kms:GrantConstraintType

Allows principals to create a grant only when the grant includes the specified grant constraint.

kms:GrantIsForAWSResource

Allows principals to call CreateGrant, ListGrants, or RevokeGrant only when an Amazon service that is integrated with Amazon KMS sends the request on the principal's behalf.

kms:GrantOperations

Allows principals to create a grant, but limits the grant to the specified operations.

kms:GranteePrincipal

Allows principals to create a grant only for the specified grantee principal.

kms:RetiringPrincipal

Allows principals to create a grant only when the grant specifies a particular retiring principal.