Connect to an Amazon KMS VPC endpoint - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Connect to an Amazon KMS VPC endpoint

You can connect to Amazon KMS through the VPC endpoint by using an Amazon SDK, the Amazon CLI, or Amazon Tools for PowerShell. To specify the VPC endpoint, use its DNS name.

For example, this list-keys command uses the endpoint-url parameter to specify the VPC endpoint. To use a command like this, replace the example VPC endpoint ID with one in your account.

$ aws kms list-keys --endpoint-url https://vpce-1234abcdf5678c90a-09p7654s-us-east-1a.ec2.us-east-1.vpce.amazonaws.com
Required permissions

For an Amazon KMS request that uses a VPC endpoint to be successful, the principal requires permissions from two sources:

  • A key policy, IAM policy, or grant must give principal permission to call the operation on the resource (KMS key or alias).

  • A VPC endpoint policy must give the principal permission to use the endpoint to make the request.

For example, a key policy might give a principal permission to call Decrypt on a particular KMS key. However, the VPC endpoint policy might not allow that principal to call Decrypt on that KMS key by using the endpoint.

Or a VPC endpoint policy might allow a principal to use the endpoint to call DisableKey on certain KMS keys. But if the principal doesn't have those permissions from a key policy, IAM policy, or grant, the request fails.

You can create a VPC endpoint policy when you create your endpoint, and you can change the VPC endpoint policy at any time. Use the VPC management console, or the CreateVpcEndpoint or ModifyVpcEndpoint operations. You can also create and change a VPC endpoint policy by using an Amazon CloudFormation template. For help using the VPC management console, see Create an interface endpoint and Modifying an interface endpoint in the Amazon PrivateLink Guide.

Private hostnames

If you enabled private hostnames when you created your VPC endpoint, you do not need to specify the VPC endpoint URL in your CLI commands or application configuration. The standard Amazon KMS DNS hostname resolves to your VPC endpoint. The Amazon CLI and SDKs use this hostname by default, so you can begin using the VPC endpoint to connect to an Amazon KMS regional endpoint without changing anything in your scripts and applications.

To use private hostnames, the enableDnsHostnames and enableDnsSupport attributes of your VPC must be set to true. To set these attributes, use the ModifyVpcAttribute operation. For details, see View and update DNS attributes for your VPC in the Amazon VPC User Guide.