View a markdown version of this page

Best practices for Amazon KMS grants - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Best practices for Amazon KMS grants

Amazon KMS recommends the following best practices when creating, using, and managing grants.

  • Limit the permissions in the grant to those that the grantee requires. Use the principle of least privileged access. Be as specific as possible in all grant parameters:

  • Use the encryption context grant constraints to ensure that callers are using the KMS key for the intended purpose. For details about how to use the encryption context in a request to secure your data, see How to Protect the Integrity of Your Encrypted Data by Using Amazon Key Management Service and EncryptionContext in the Amazon Security Blog.

    Tip

    Use the EncryptionContextEqual grant constraint whenever possible. The EncryptionContextSubset grant constraint is more difficult to use correctly. If you need to use it, read the documentation carefully and test the grant constraint to make sure it works as intended.

  • When creating grants for supported Amazon services, use the SourceArn grant constraint to restrict the grant to a specific resource.

  • Be aware of duplicate grants. Duplicate grants have the same parameters except for the grant name. Needless duplication can cause you to reach the Grants per KMS key quota. To avoid duplicating grants when retrying a CreateGrant request, use the Name parameter. To detect duplicate grants, use the ListGrants operation.

    Note

    Some Amazon services create grants for different resources that might appear to be duplicates. These grants have lifecycles tied to the different resources. Deleting grants created by an Amazon service can be disruptive and requires extra precaution.

  • Remember that grants do not automatically expire. Retire or revoke the grant as soon as the permission is no longer needed. Grants that are not deleted might create a security risk for encrypted resources.