Giving Amazon Personalize permission to use your Amazon KMS key
If you specify a Amazon Key Management Service (Amazon KMS) key when you use the Amazon Personalize console or APIs, or if you use your Amazon KMS key to encrypt an Amazon S3 bucket, you must grant Amazon Personalize permission to use your key. To grant permissions, your Amazon KMS key policy and IAM policy attached to your service role must grant Amazon Personalize permission to use your key. This applies for creating the following in Amazon Personalize.
-
Dataset groups
-
Dataset import job (only Amazon KMS key policy must grant permissions)
-
Dataset export jobs
-
Batch inference jobs
-
Batch segment jobs
-
Metric attributions
Your Amazon KMS key policy and IAM policies must grant permissions for the following actions:
-
Decrypt
-
GenerateDataKey
-
DescribeKey
-
CreateGrant (only required in key policy)
-
ListGrants
Revoking Amazon KMS key permissions after creating a resource can lead to issues when creating a filter or getting recommendations. For more information about Amazon KMS policies, see
Using key policies in Amazon KMS
Key policy example
The following key policy example grants Amazon Personalize and your role the minimum permissions for the preceding Amazon Personalize operations.
If you specify a key when you create a dataset group and want to export data from a dataset, your key policy must include the GenerateDataKeyWithoutPlaintext
action.
{ "Version": "2012-10-17", "Id": "key-policy-123", "Statement": [ { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<account-id>:role/<personalize-role-name>", "Service": "personalize.amazonaws.com" }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey", "kms:DescribeKey", "kms:CreateGrant", "kms:ListGrants" ], "Resource": "*" } ] }
IAM policy example
The following IAM policy example grants a role the minimum Amazon KMS permissions required for the preceding Amazon Personalize operations. For dataset import jobs, only the Amazon KMS key policy needs to grant permissions.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:GenerateDataKey", "kms:DescribeKey", "kms:ListGrants" ], "Resource": "*" } ] }