Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Authorizing Amazon KMS to synchronize multi-Region keys

To support multi-Region keys, Amazon KMS needs permission to synchronize the shared properties of a multi-Region primary key with its replica keys. To get these permissions, Amazon KMS creates the AWSServiceRoleForKeyManagementServiceMultiRegionKeys service-linked role in your Amazon Web Services account. Users who create multi-Region keys must have the iam:CreateServiceLinkedRole permission that allows them to create service-linked roles.

You can view the SynchronizeMultiRegionKey CloudTrail event that records Amazon KMS synchronizing shared properties in your Amazon CloudTrail logs.

To view details about updates to the AWSKeyManagementServiceMultiRegionKeysServiceRolePolicy managed policy, see Amazon KMS updates to Amazon managed policies.

About the service-linked role for multi-Region keys

A service-linked role is an IAM role that gives one Amazon service permission to call other Amazon services on your behalf. It's designed to make it easier for you to use the features of multiple integrated Amazon services without having to create and maintain complex IAM policies.

For multi-Region keys, Amazon KMS creates the AWSServiceRoleForKeyManagementServiceMultiRegionKeys service-linked role with the AWSKeyManagementServiceMultiRegionKeysServiceRolePolicy managed policy. This policy gives the role the kms:SynchronizeMultiRegionKey permission, which allows it to synchronize the shared properties of multi-Region keys.

Because the AWSServiceRoleForKeyManagementServiceMultiRegionKeys service-linked role trusts only mrk.kms.amazonaws.com, only Amazon KMS can assume this service-linked role. This role is limited to the operations that Amazon KMS needs to synchronize multi-Region shared properties. It does not give Amazon KMS any additional permissions. For example, Amazon KMS does not have permission to create, replicate, or delete any KMS keys.

For more information about how Amazon services use service-linked roles, see Using Service-Linked Roles in the IAM User Guide.

{
    "Version" : "2012-10-17",
    "Statement" : [
        {
            "Sid" : "KMSSynchronizeMultiRegionKey",
            "Effect" : "Allow",
            "Action" : [
                "kms:SynchronizeMultiRegionKey"
            ],
            "Resource" : "*"
        }
    ]
}

Create the service-linked role

Amazon KMS automatically creates the AWSServiceRoleForKeyManagementServiceMultiRegionKeys service-linked role in your Amazon Web Services account when you create a multi-Region key, if the role does not already exist. You cannot create or re-create this service-linked role directly.

Edit the service-linked role description

You cannot edit the role name or the policy statements in the AWSServiceRoleForKeyManagementServiceMultiRegionKeys service-linked role, but you can edit the role description. For instructions, see Editing a Service-Linked Role in the IAM User Guide.

Delete the service-linked role

Amazon KMS does not delete the AWSServiceRoleForKeyManagementServiceMultiRegionKeys service-linked role from your Amazon Web Services account and you cannot delete it. However, Amazon KMS does not assume the AWSServiceRoleForKeyManagementServiceMultiRegionKeys role or use any of its permissions unless you have multi-Region keys in your Amazon Web Services account and Region.