Permissions for Amazon services in key policies

Many Amazon services use Amazon KMS keys to protect the resources they manage. When a service uses Amazon owned keys or Amazon managed keys, the service establishes and maintains the key policies for these KMS keys.

However, when you use a customer managed key with an Amazon service, you set and maintain the key policy. That key policy must allow the service the minimum permissions that it requires to protect the resource on your behalf. We recommend that you follow the principle of least privilege: give the service only the permissions that it requires. You can do this effectively by learning which permissions the service needs and using Amazon global condition keys and Amazon KMS condition keys to refine the permissions.

To find the permissions that the service requires on a customer managed key, see the encryption documentation for the service. The following list includes links to some services documentation:

Amazon CloudTrail permissions - Configure Amazon KMS key policies for CloudTrail
Amazon Elastic Block Store permissions - Amazon EC2 User Guide and Amazon EC2 User Guide
Amazon Lambda permissions - Data encryption at rest for Lambda
Amazon Q permissions - Data encryption for Amazon Q
Amazon Relational Database Service permissions - Amazon KMS key management
Amazon Secrets Manager permissions - Authorizing use of the KMS key
Amazon Simple Queue Service permissions - Amazon SQS Key management

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Change a key policy

IAM policies