Permissions for Amazon services in key policies
Many Amazon services use Amazon KMS keys to protect the resources they manage. When a service uses Amazon owned keys or Amazon managed keys, the service establishes and maintains the key policies for these KMS keys.
However, when you use a customer managed key with an Amazon
service, you set and maintain the key policy. That key policy must allow the service the
minimum permissions that it requires to protect the resource on your behalf. We recommend that
you follow the principle of least privilege: give the service only the permissions that it
requires. You can do this effectively by learning which permissions the service needs and
using Amazon global condition keys
To find the permissions that the service requires on a customer managed key, see the encryption documentation for the service. For example, for the permissions that Amazon Elastic Block Store (Amazon EBS) requires, see Permissions for IAM users in the Amazon EC2 User Guide and Amazon EC2 User Guide. For the permissions that Secrets Manager requires, see Authorizing use of the KMS key in the Amazon Secrets Manager User Guide.