Overview of IAM policies - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Overview of IAM policies

You can use IAM policies in the following ways:

  • Attach a permissions policy to a role for federation or cross-account permissions – You can attach an IAM policy to an IAM role to enable identity federation, allow cross-account permissions, or give permissions to applications running on EC2 instances. For more information about the various use cases for IAM roles, see IAM Roles in the IAM User Guide.

  • Attach a permissions policy to a user or a group – You can attach a policy that allows a user or group of users to call Amazon KMS operations. However, IAM best practices recommend that you use identities with temporary credentials, such as IAM roles, whenever possible.

The following example shows an IAM policy with Amazon KMS permissions. This policy allows the IAM identities to which it is attached to list all KMS keys and aliases.

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": [
      "kms:ListKeys",
      "kms:ListAliases"
    ],
    "Resource": "*"
  }
}

Like all IAM policies, this policy doesn't have a Principal element. When you attach an IAM policy to an IAM identity, that identity gets the permissions specified in the policy.

For a table showing all of the Amazon KMS API actions and the resources that they apply to, see the Permissions reference.