Amazon KMS permissions
This table is designed to help you understand Amazon KMS permissions so you can control access to your Amazon KMS resources. Definitions of the column headings appear below the table.
You can also learn about Amazon KMS permissions in the Actions, resources, and condition keys for Amazon Key Management Service topic of the Service Authorization Reference. However, that topic doesn't list all of the condition keys that you can use to refine each permission.
For more information on which Amazon KMS operations are valid for symmetric encryption KMS keys, asymmetric KMS keys, and HMAC KMS keys, see the Key type reference.
Note
You might have to scroll horizontally or vertically to see all of the data in the table.
Actions and permissions | Policy type | Cross-account use | Resources (for IAM policies) | Amazon KMS condition keys |
---|---|---|---|---|
|
Key policy |
No |
KMS key |
Conditions for KMS key operations: aws:ResourceTag/tag-key (Amazon global condition key) |
ConnectCustomKeyStore
|
IAM policy | No |
|
|
To use this operation, the caller needs
For details, see Controlling access to aliases. |
IAM policy (for the alias) |
No |
Alias |
None (when controlling access to the alias) |
Key policy (for the KMS key) |
No |
KMS key |
Conditions for KMS key operations: aws:ResourceTag/tag-key (Amazon global condition key) |
|
CreateCustomKeyStore
|
IAM policy | No |
|
|
|
Key policy |
Yes |
KMS key |
Encryption context conditions: kms:EncryptionContext:context-key Grant conditions: Conditions for KMS key operations: aws:ResourceTag/tag-key (Amazon global condition key) |
|
IAM policy |
No |
|
kms:BypassPolicyLockoutSafetyCheck aws:RequestTag/tag-key (Amazon global condition key) aws:ResourceTag/tag-key (Amazon global condition key) aws:TagKeys (Amazon global condition key) |
|
Key policy |
Yes |
KMS key |
Conditions for cryptographic operations Encryption context conditions: kms:EncryptionContext:context-key Conditions for KMS key operations: aws:ResourceTag/tag-key (Amazon global condition key) |
To use this operation, the caller needs
For details, see Controlling access to aliases. |
IAM policy (for the alias) |
No |
Alias |
None (when controlling access to the alias) |
Key policy (for the KMS key) |
No |
KMS key |
Conditions for KMS key operations: aws:ResourceTag/tag-key (Amazon global condition key) |
|
DeleteCustomKeyStore
|
IAM policy | No |
|
|
|
Key policy |
No |
KMS key |
Conditions for KMS key operations: aws:ResourceTag/tag-key (Amazon global condition key) |
DedriveSharedSecret
|
Key policy | Yes | KMS key | Conditions for KMS key operations: aws:ResourceTag/tag-key (Amazon global condition key) Conditions for cryptographic operations: |
DescribeCustomKeyStores
|
IAM policy | No |
|
|
|
Key policy |
Yes |
KMS key |
Conditions for KMS key operations: aws:ResourceTag/tag-key (Amazon global condition key) Other conditions: |
|
Key policy |
No |
KMS key |
Conditions for KMS key operations: aws:ResourceTag/tag-key (Amazon global condition key) |
|
Key policy |
No |
KMS key |
Conditions for KMS key operations: aws:ResourceTag/tag-key (Amazon global condition key) |
DisconnectCustomKeyStore
|
IAM policy | No |
|
|
|
Key policy |
No |
KMS key |
Conditions for KMS key operations: aws:ResourceTag/tag-key (Amazon global condition key) |
|
Key policy |
No |
KMS key |
Conditions for KMS key operations: aws:ResourceTag/tag-key (Amazon global condition key) Automatic key rotation conditions: |
|
Key policy |
Yes |
KMS key |
Conditions for cryptographic operations Encryption context conditions: kms:EncryptionContext:context-key Conditions for KMS key operations: aws:ResourceTag/tag-key (Amazon global condition key) |
|
Key policy |
Yes |
KMS key |
Conditions for cryptographic operations Encryption context conditions: kms:EncryptionContext:context-key Conditions for KMS key operations: aws:ResourceTag/tag-key (Amazon global condition key) |
|
Key policy |
Yes |
KMS key Generates an asymmetric data key pair that is protected by a symmetric encryption KMS key. |
Conditions for data key pairs: Conditions for cryptographic operations Encryption context conditions: kms:EncryptionContext:context-key Conditions for KMS key operations: aws:ResourceTag/tag-key (Amazon global condition key) |
GenerateDataKeyPairWithoutPlaintext
|
Key policy |
Yes |
KMS key Generates an asymmetric data key pair that is protected by a symmetric encryption KMS key. |
Conditions for data key pairs: Conditions for cryptographic operations Encryption context conditions: kms:EncryptionContext:context-key Conditions for KMS key operations: aws:ResourceTag/tag-key (Amazon global condition key) |
GenerateDataKeyWithoutPlaintext
|
Key policy |
Yes |
KMS key |
Conditions for cryptographic operations Encryption context conditions: kms:EncryptionContext:context-key Conditions for KMS key operations: aws:ResourceTag/tag-key (Amazon global condition key) |
GenerateMac
|
Key policy | Yes | KMS key | Conditions for KMS key operations: aws:ResourceTag/tag-key (Amazon global condition key) Conditions for cryptographic operations: |
|
IAM policy |
N/A |
|
None |
|
Key policy |
No |
KMS key |
Conditions for KMS key operations: aws:ResourceTag/tag-key (Amazon global condition key) |
|
Key policy |
Yes |
KMS key |
Conditions for KMS key operations: aws:ResourceTag/tag-key (Amazon global condition key) |
|
Key policy |
No |
KMS key |
Conditions for KMS key operations: aws:ResourceTag/tag-key (Amazon global condition key) |
|
Key policy |
Yes |
KMS key |
Conditions for KMS key operations: aws:ResourceTag/tag-key (Amazon global condition key) Other conditions: |
|
Key policy |
No |
KMS key |
Conditions for KMS key operations: aws:ResourceTag/tag-key (Amazon global condition key) Other conditions: kms:ExpirationModel |
|
IAM policy |
No |
|
None |
|
Key policy |
Yes |
KMS key |
Conditions for KMS key operations: aws:ResourceTag/tag-key (Amazon global condition key) Other conditions: |
|
Key policy |
No |
KMS key |
Conditions for KMS key operations: aws:ResourceTag/tag-key (Amazon global condition key) |
|
Key policy |
No |
KMS key |
Conditions for KMS key operations: aws:ResourceTag/tag-key (Amazon global condition key) |
|
IAM policy |
No |
|
None |
|
Key policy |
No |
KMS key |
Conditions for KMS key operations: aws:ResourceTag/tag-key (Amazon global condition key) |
|
IAM policy |
The specified principal must be in the local account, but the operation returns grants in all accounts. |
|
None |
|
Key policy |
No |
KMS key |
Conditions for KMS key operations: aws:ResourceTag/tag-key (Amazon global condition key) Other conditions: |
To use this operation, the caller needs permission on two KMS keys:
|
Key policy |
Yes |
KMS key |
Conditions for cryptographic operations Encryption context conditions: kms:EncryptionContext:context-key Conditions for KMS key operations: aws:ResourceTag/tag-key (Amazon global condition key) Other conditions: |
To use this operation, the caller needs the following permissions:
|
Key policy |
No |
KMS key |
Conditions for KMS key operations: aws:ResourceTag/tag-key (Amazon global condition key) Other conditions: |
Permission to retire a grant is determined primarily by the grant. A policy alone cannot allow access to this operation. For more information, see Retiring and revoking grants. |
IAM policy (This permission is not effective in a key policy.) |
Yes |
KMS key |
Encryption context conditions: kms:EncryptionContext:context-key Grant conditions: Conditions for KMS key operations: aws:ResourceTag/tag-key (Amazon global condition key) |
|
Key policy |
Yes |
KMS key |
Conditions for KMS key operations: aws:ResourceTag/tag-key (Amazon global condition key) Other conditions: |
|
Key policy |
No |
KMS key |
Conditions for KMS key operations: aws:ResourceTag/tag-key (Amazon global condition key) |
|
Key policy |
No |
KMS key |
Conditions for KMS key operations: aws:ResourceTag/tag-key (Amazon global condition key) |
|
Key policy |
Yes |
KMS key |
Conditions for signing and verification: kms:RequestAliasConditions for KMS key operations: aws:ResourceTag/tag-key (Amazon global condition key) |
|
Key policy |
No |
KMS key |
Conditions for KMS key operations: aws:ResourceTag/tag-key (Amazon global condition key) Conditions for tagging: aws:RequestTag/tag-key (Amazon global condition key) aws:TagKeys (Amazon global condition key) |
|
Key policy |
No |
KMS key |
Conditions for KMS key operations: aws:ResourceTag/tag-key (Amazon global condition key) Conditions for tagging: aws:RequestTag/tag-key (Amazon global condition key) aws:TagKeys (Amazon global condition key) |
To use this operation, the caller needs
For details, see Controlling access to aliases. |
IAM policy (for the alias) |
No |
Alias |
None (when controlling access to the alias) |
Key policy (for the KMS keys) |
No |
KMS key |
Conditions for KMS key operations: aws:ResourceTag/tag-key (Amazon global condition key) |
|
UpdateCustomKeyStore
|
IAM policy | No |
|
|
|
Key policy |
No |
KMS key |
Conditions for KMS key operations: aws:ResourceTag/tag-key (Amazon global condition key) |
To use this operation, the caller needs |
Key policy |
No | KMS key |
Conditions for KMS key operations: aws:ResourceTag/tag-key (Amazon global condition key) Other conditions |
|
Key policy |
Yes | KMS key |
Conditions for signing and verification: kms:RequestAliasConditions for KMS key operations: aws:ResourceTag/tag-key (Amazon global condition key) |
VerifyMac
|
Key policy | Yes | KMS key | Conditions for KMS key operations: aws:ResourceTag/tag-key (Amazon global condition key) Conditions for cryptographic operations: |
Column descriptions
The columns in this table provide the following information:
-
Actions and permissions lists each Amazon KMS API operation and the permission that allows the operation. You specify the operation in
Action
element of a policy statement. -
Policy type indicates whether the permission can be used in a key policy or IAM policy.
Key policy means that you can specify the permission in the key policy. When the key policy contains the policy statement that enables IAM policies, you can specify the permission in an IAM policy.
IAM policy means that you can specify the permission only in an IAM policy.
-
Cross-account use shows the operations that authorized users can perform on resources in a different Amazon Web Services account.
A value of Yes means that principals can perform the operation on resources in a different Amazon Web Services account.
A value of No means that principals can perform the operation only on resources in their own Amazon Web Services account.
If you give a principal in a different account a permission that can't be used on a cross-account resource, the permission is not effective. For example, if you give a principal in a different account kms:TagResource permission to a KMS key in your account, their attempts to tag the KMS key in your account will fail.
-
Resources lists the Amazon KMS resources to which the permissions apply. Amazon KMS supports two resource types: a KMS key and an alias. In a key policy, the value of the
Resource
element is always*
, which indicates the KMS key to which the key policy is attached.Use the following values to represent an Amazon KMS resource in an IAM policy.
- KMS key
-
When the resource is a KMS key, use its key ARN. For help, see Find the key ID and key ARN.
arn:
Amazon_partition_name
:kms:Amazon_Region
:Amazon_account_ID
:key/key_ID
For example:
arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
- Alias
-
When the resource is an alias, use its alias ARN. For help, see Find the alias name and alias ARN for a KMS key.
arn:
Amazon_partition_name
:kms:Amazon_region
:Amazon_account_ID
:alias/alias_name
For example:
arn:aws:kms:us-west-2:111122223333:alias/ExampleAlias
*
(asterisk)-
When the permission doesn't apply to a particular resource (KMS key or alias), use an asterisk (
*
).In an IAM policy for an Amazon KMS permission, an asterisk in the
Resource
element indicates all Amazon KMS resources (KMS keys and aliases). You can also use an asterisk in theResource
element when the Amazon KMS permission doesn't apply to any particular KMS keys or aliases. For example, when allowing or denyingkms:CreateKey
orkms:ListKeys
permission, you must set theResource
element to*
.
-
Amazon KMS condition keys lists the Amazon KMS condition keys that you can use to control access to the operation. You specify conditions in a policy's
Condition
element. For more information, see Amazon KMS condition keys. This column also includes Amazon global condition keys that are supported by Amazon KMS, but not by all Amazon services.