Controlling access to HMAC KMS keys - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Controlling access to HMAC KMS keys

To control access to an HMAC KMS key, you use a key policy, which is required for every KMS key. You can also use IAM policies and grants.

The default key policy for HMAC keys created in the Amazon KMS console gives key users permission to call the GenerateMac and VerifyMac operations. However, it does not include the key policy statement designed for using grants with Amazon services. If you create HMAC keys by using the CreateKey operation, you must specify these permissions in the key policy or an IAM policy.

You can use Amazon global condition keys and Amazon KMS condition keys to refine and limit permissions to HMAC keys. For example, you can use the kms:ResourceAliases condition key to control access to Amazon KMS operations based on the aliases associated with an HMAC key. The following Amazon KMS policy conditions are useful for policies on HMAC keys.

  • Use a kms:MacAlgorithm condition key to limit the algorithms that the principals can request when they call the GenerateMac and VerifyMac operations. For example, you can allow principals to call the GenerateMac operations but only when the MAC algorithm in the request is HMAC_SHA_384.

  • Use a kms:KeySpec condition key to allow or prevent principals from creating certain types of HMAC keys. For example, to allow principals to create only HMAC keys, you can allow the CreateKey operation, but use the kms:KeySpec condition to allow only keys with an HMAC_384 key spec.

    You can also use the kms:KeySpec condition key to control access to other operations on a KMS key based on the key spec of the key. For example, you can allow principals to schedule and cancel key deletion only on KMS keys with an HMAC_256 key spec.

  • Use the kms:KeyUsage condition key to allow or prevent principals from creating any HMAC keys. For example, to allow principals to create only HMAC keys, you can allow the CreateKey operation, but use the kms:KeyUsage condition to allow only keys with a GENERATE_VERIFY_MAC key usage.

    You can also use the kms:KeyUsage condition key to control access to other operations on a KMS key based on the key usage of the key. For example, you can allow principals to enable and disable only on KMS keys with a GENERATE_VERIFY_MAC key usage.

You can also create grants for GenerateMac and VerifyMac operations, which are grant operations. However, you cannot use an encryption context grant constraint in a grant for an HMAC key. The HMAC tag format does not support encryption context values.