Giving Amazon Personalize permission to use your Amazon KMS key - Amazon Personalize
Key policy exampleIAM policy example
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Giving Amazon Personalize permission to use your Amazon KMS key

If you specify a Amazon Key Management Service (Amazon KMS) key when you use the Amazon Personalize console or APIs, or if you use your Amazon KMS key to encrypt an Amazon S3 bucket, you must grant Amazon Personalize permission to use your key. To grant permissions, your Amazon KMS key policy and IAM policy attached to your service role must grant Amazon Personalize permission to use your key. This applies for creating the following in Amazon Personalize.

  • Dataset groups

  • Dataset import job (only Amazon KMS key policy must grant permissions)

  • Dataset export jobs

  • Batch inference jobs

  • Batch segment jobs

  • Metric attributions

Your Amazon KMS key policy and IAM policies must grant permissions for the following actions:

  • Decrypt

  • GenerateDataKey

  • DescribeKey

  • CreateGrant (only required in key policy)

  • ListGrants

Revoking Amazon KMS key permissions after creating a resource can lead to issues when creating a filter or getting recommendations. For more information about Amazon KMS policies, see Using key policies in Amazon KMS in the Amazon Key Management Service Developer Guide. For information on creating an IAM policy, see Creating IAM policies in the IAM User Guide. For information on attaching an IAM policy to role, see Adding and removing IAM identity permissions in the IAM User Guide.

Key policy example

The following key policy example grants Amazon Personalize and your role the minimum permissions for the preceding Amazon Personalize operations. If you specify a key when you create a dataset group and want to export data from a dataset, your key policy must include the GenerateDataKeyWithoutPlaintext action. 

{
  "Version": "2012-10-17",
  "Id": "key-policy-123",
  "Statement": [
    {
      "Sid": "Allow use of the key",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<account-id>:role/<personalize-role-name>",
        "Service": "personalize.amazonaws.com"
      },
      "Action": [
                "kms:Decrypt",
                "kms:GenerateDataKey",
                "kms:DescribeKey",
                "kms:CreateGrant",
                "kms:ListGrants"
            ],
      "Resource": "*"
    }
  ]
}

IAM policy example

The following IAM policy example grants a role the minimum Amazon KMS permissions required for the preceding Amazon Personalize operations. For dataset import jobs, only the Amazon KMS key policy needs to grant permissions. 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:GenerateDataKey",
                "kms:DescribeKey",
                "kms:ListGrants"
            ],
            "Resource": "*"
        }
    ]
}