Using IAM policies with Amazon KMS
You can use IAM policies, along with key policies, grants, and VPC endpoint policies, to control access to your Amazon KMS keys in Amazon KMS.
Note
To use an IAM policy to control access to a KMS key, the key policy for the KMS key must give the account permission to use IAM policies. Specifically, the key policy must include the policy statement that enables IAM policies.
This section explains how to use IAM policies to control access to Amazon KMS operations. For more general information about IAM, see the IAM User Guide.
All KMS keys must have a key policy. IAM policies are optional. To use an IAM policy to control access to a KMS key, the key policy for the KMS key must give the account permission to use IAM policies. Specifically, the key policy must include the policy statement that enables IAM policies.
IAM policies can control access to any Amazon KMS operation. Unlike key policies, IAM policies can control access to multiple KMS keys and provide permissions for the operations of several related Amazon services. But IAM policies are particularly useful for controlling access to operations, such as CreateKey, that can't be controlled by a key policy because they don't involve any particular KMS key.
If you access Amazon KMS through an Amazon Virtual Private Cloud (Amazon VPC) endpoint, you can also use a VPC endpoint policy to limit access to your Amazon KMS resources when using the endpoint. For example, when using the VPC endpoint, you might only allow the principals in your Amazon Web Services account to access your customer managed keys. For details, see Controlling access to a VPC endpoint.
For help writing and formatting a JSON policy document, see the IAM JSON Policy Reference in the IAM User Guide.