Identity and access management for Amazon Key Management Service - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Identity and access management for Amazon Key Management Service

Amazon Identity and Access Management (IAM) helps an administrator securely control access to Amazon resources. IAM administrators control who can be authenticated (signed in) and authorized (have permissions) to use Amazon KMS resources. For more information, see Using IAM policies with Amazon KMS.

Key policies are the primary mechanism for controlling access to KMS keys in Amazon KMS. Every KMS key must have a key policy. You can also use IAM policies and grants, along with key policies, to control access to your KMS keys. For more information, see Authentication and access control for Amazon KMS.

If you are using an Amazon Virtual Private Cloud (Amazon VPC), you can create an interface VPC endpoint to Amazon KMS powered by Amazon PrivateLink. You can also use VPC endpoint policies to determine which principals can access your Amazon KMS endpoint, which API calls they can make, and which KMS key they can access. For details, see Controlling access to a VPC endpoint.