Amazon managed policies for Amazon Key Management Service - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon managed policies for Amazon Key Management Service

An Amazon managed policy is a standalone policy that is created and administered by Amazon. Amazon managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.

Keep in mind that Amazon managed policies might not grant least-privilege permissions for your specific use cases because they're available for all Amazon customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.

You cannot change the permissions defined in Amazon managed policies. If Amazon updates the permissions defined in an Amazon managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. Amazon is most likely to update an Amazon managed policy when a new Amazon Web Services service is launched or new API operations become available for existing services.

For more information, see Amazon managed policies in the IAM User Guide.

Amazon managed policy: AWSKeyManagementServicePowerUser

You can attach the AWSKeyManagementServicePowerUser policy to your IAM identities.

You can use the AWSKeyManagementServicePowerUser managed policy to give IAM principals in your account the permissions of a power user. Power users can create KMS keys, use and manage the KMS keys they create, and view all KMS keys and IAM identities. Principals who have the AWSKeyManagementServicePowerUser managed policy can also get permissions from other sources, including key policies, other IAM policies, and grants.

AWSKeyManagementServicePowerUser is an Amazon managed IAM policy. For more information about Amazon managed policies, see Amazon managed policies in the IAM User Guide.

Note

Permissions in this policy that are specific to a KMS key, such as kms:TagResource and kms:GetKeyRotationStatus, are effective only when the key policy for that KMS key explicitly allows the Amazon Web Services account to use IAM policies to control access to the key. To determine whether a permission is specific to a KMS key, see Amazon KMS permissions and look for a value of KMS key in the Resources column.

This policy gives a power user permissions on any KMS key with a key policy that permits the operation. For cross-account permissions, such as kms:DescribeKey and kms:ListGrants, this might include KMS keys in untrusted Amazon Web Services accounts. For details, see Best practices for IAM policies and Allowing users in other accounts to use a KMS key. To determine whether a permission is valid on KMS keys in other accounts, see Amazon KMS permissions and look for a value of Yes in the Cross-account use column.

To allow principals to view the Amazon KMS console without errors, the principal needs the tag:GetResources permission, which is not included in the AWSKeyManagementServicePowerUser policy. You can allow this permission in a separate IAM policy.

The AWSKeyManagementServicePowerUser managed IAM policy includes the following permissions.

  • Allows principals to create KMS keys. Because this process includes setting the key policy, power users can give themselves and others permission to use and manage the KMS keys they create.

  • Allows principals to create and delete aliases and tags on all KMS keys. Changing a tag or alias can allow or deny permission to use and manage the KMS key. For details, see ABAC for Amazon KMS.

  • Allows principals to get detailed information about all KMS keys, including their key ARN, cryptographic configuration, key policy, aliases, tags, and rotation status.

  • Allows principals to list IAM users, groups, and roles.

  • This policy does not allow principals to use or manage KMS keys that they didn't create. However, they can change aliases and tags on all KMS keys, which might allow or deny them permission to use or manage a KMS key.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kms:CreateAlias", "kms:CreateKey", "kms:DeleteAlias", "kms:Describe*", "kms:GenerateRandom", "kms:Get*", "kms:List*", "kms:TagResource", "kms:UntagResource", "iam:ListGroups", "iam:ListRoles", "iam:ListUsers" ], "Resource": "*" } ] }

Amazon managed policy: AWSServiceRoleForKeyManagementServiceCustomKeyStores

You can't attach AWSServiceRoleForKeyManagementServiceCustomKeyStores to your IAM entities. This policy is attached to a service-linked role that gives Amazon KMS permission to view the Amazon CloudHSM clusters associated with your Amazon CloudHSM key store and create the network to support a connection between your custom key store and its Amazon CloudHSM cluster. For more information, see Authorizing Amazon KMS to manage Amazon CloudHSM and Amazon EC2 resources.

Amazon managed policy: AWSServiceRoleForKeyManagementServiceMultiRegionKeys

You can't attach AWSServiceRoleForKeyManagementServiceMultiRegionKeys to your IAM entities. This policy is attached to a service-linked role that gives Amazon KMS permission to synchronize any changes to the key material of a multi-Region primary key to its replica keys. For more information, see Authorizing Amazon KMS to synchronize multi-Region keys.

Amazon KMS updates to Amazon managed policies

View details about updates to Amazon managed policies for Amazon KMS since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Amazon KMS Document history page.

Change Description Date

AWSKeyManagementServiceMultiRegionKeysServiceRolePolicy – Update to existing policy

Amazon KMS added a statement ID (Sid) field to the managed policy in policy version v2.

November 21, 2024

AWSKeyManagementServiceCustomKeyStoresServiceRolePolicy – Update to existing policy

Amazon KMS added the ec2:DescribeVpcs, ec2:DescribeNetworkAcls, and ec2:DescribeNetworkInterfaces permissions to monitor changes in the VPC that contains your Amazon CloudHSM cluster so that Amazon KMS can provide clear error messages in the case of failures.

November 10, 2023

Amazon KMS started tracking changes

Amazon KMS started tracking changes for its Amazon managed policies.

November 10, 2023