# Identity and access management for Amazon Key Management Service
<a name="security-iam"></a>

Amazon Identity and Access Management (IAM) helps you securely control access to Amazon resources. Administrators control who can be *authenticated* (signed in) and *authorized* (have permissions) to use Amazon KMS resources. For more information, see [Using IAM policies with Amazon KMS](iam-policies.md).

[Key policies](key-policies.md) are the primary mechanism for controlling access to KMS keys in Amazon KMS. Every KMS key must have a key policy. You can also use [IAM policies](iam-policies.md) and [grants](grants.md), along with key policies, to control access to your KMS keys. For more information, see [KMS key access and permissions](control-access.md).

If you are using an Amazon Virtual Private Cloud (Amazon VPC), you can [create an interface VPC endpoint](kms-vpc-endpoint.md) to Amazon KMS powered by [Amazon PrivateLink](https://docs.amazonaws.cn/vpc/latest/privatelink/). You can also use VPC endpoint policies to determine which principals can access your Amazon KMS endpoint, which API calls they can make, and which KMS key they can access.

**Topics**
+ [Amazon managed policies for Amazon Key Management Service](security-iam-awsmanpol.md)
+ [Using service-linked roles for Amazon KMS](using-service-linked-roles.md)