Permissions for Amazon services in key policies - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Permissions for Amazon services in key policies

Many Amazon services use Amazon KMS keys to protect the resources they manage. When a service uses Amazon owned keys or Amazon managed keys, the service establishes and maintains the key policies for these KMS keys.

However, when you use a customer managed key with an Amazon service, you set and maintain the key policy. That key policy must allow the service the minimum permissions that it requires to protect the resource on your behalf. We recommend that you follow the principle of least privilege: give the service only the permissions that it requires. You can do this effectively by learning which permissions the service needs and using Amazon global condition keys and Amazon KMS condition keys to refine the permissions.

To find the permissions that the service requires on a customer managed key, see the encryption documentation for the service. For example, for the permissions that Amazon Elastic Block Store (Amazon EBS) requires, see Permissions for IAM users in the Amazon EC2 User Guide and Amazon EC2 User Guide. For the permissions that Secrets Manager requires, see Authorizing use of the KMS key in the Amazon Secrets Manager User Guide.