Advanced KMS key policy statements
Note
Customer managed KMS keys for Amazon IAM Identity Center are currently available in select Amazon Regions.
Use advanced KMS key policy statements to implement more granular access controls for your customer managed KMS key. These policies build on the Baseline KMS key and IAM policy statements by adding encryption context conditions and service-specific restrictions. Before deciding whether to use advanced KMS key policy statements, make sure to review the pertinent considerations.
Using encryption context to restrict access
You can restrict KMS key usage to a specific IAM Identity Center instance by adding an encryption context condition to your key policy statements. This condition uses the IAM Identity Center instance ARN and Identity Store ARN to ensure the key works only with your intended instance. Add this condition to any of the baseline policy statements:
Identity Center
"StringLike": { "kms:EncryptionContext:aws:sso:instance-arn": "${identity_center_arn}" }
Identity Store:
"StringLike": { "kms:EncryptionContext:aws:identitystore:identitystore-arn": "${identity_store_arn}" }
Replace example ARNs with your actual ARN values. If you need help finding these identifiers, see Find the required identifiers.
Considerations for implementing encryption context conditions
Before implementing encryption context conditions, review these requirements:
-
DescribeKey action. The encryption context cannot be applied to the "kms:DescribeKey" action, which can be used by IAM Identity Center administrators. When configuring your KMS key policy, exclude the encryption context for this specific action to ensure proper operations of your IAM Identity Center instance.
-
New instance setup. If you're enabling a new IAM Identity Center instance with a customer managed KMS key, see Considerations for customer managed KMS keys and advanced KMS key policies.
-
Identity source changes. When changing your identity source to or from Active Directory, the encryption context requires special attention. See Considerations for changing your identity source.
Policy templates
Choose from these advanced policy templates based on your security requirements. Balance granular access controls with the administrative overhead they introduce.
Topics covered here:
-
KMS key policy statements for use of a specific IAM Identity Center instance. This section demonstrates how to use the encryption context for the use of IAM Identity Center without applying it to the "kms:DescribeKey" action. For the other use cases, you can add an encryption context condition to the baseline KMS policy statements, as described above.
-
KMS policy statements for read-only use of a specific IAM Identity Center instance. This section demonstrates the use of the encryption context for read-only access to IAM Identity Center.
-
Refined KMS key policy statements for use of Amazon managed applications. This section demonstrates how to refine the KMS key policies for Amazon managed applications using the encryption context and application information, such as the application service principal, application ARN and Amazon account ID.
KMS key policy statements for use of a specific IAM Identity Center instance
These policy statements allow administrators of a specific IAM Identity Center instance to use the KMS key while restricting access to that instance only.
Note
Currently, you can use a customer managed KMS key only with an organization instance of IAM Identity Center. The customer managed key must be located in the Amazon organization's management account, which helps ensure the key is used with a single IAM Identity Center instance. However, the encryption context mechanism provides an independent technical safeguard of single-instance usage.
Administrator access policy
The following policy statement template allows administrators of a specific instance of IAM Identity Center and its associated Identity Store to use the KMS key.
To use this policy:
Replace the example administrator IAM principals with your actual administrator IAM principals
Replace the example IAM Identity Center instance ARN with your actual instance ARN
Replace the example Identity Store ARN with your actual Identity Store ARN
If you need help finding the values of these identifiers, see Find the required identifiers.
Once you have updated the template with your values, return to Step 2: Prepare KMS key policy statements to prepare additional KMS key policy statements, as needed.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowSpecificIAMIdentityCenterAdminToUseTheKMSKeyViaIdentityCenter", "Effect": "Allow", "Principal": { "AWS": "${Admin_IAM_principal}" }, "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKeyWithoutPlaintext" ], "Resource": "*", "Condition": { "StringLike": { "kms:EncryptionContext:aws:sso:instance-arn": "${identity_center_arn}", "kms:ViaService": "sso.*.amazonaws.com" } } }, { "Sid": "AllowSpecificIAMIdentityCenterAdminToUseTheKMSKeyViaIdentityStore", "Effect": "Allow", "Principal": { "AWS": "${Admin_IAM_principal}" }, "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKeyWithoutPlaintext" ], "Resource": "*", "Condition": { "StringLike": { "kms:EncryptionContext:aws:identitystore:identitystore-arn": "${identity_store_arn}", "kms:ViaService": "identitystore.*.amazonaws.com" } } }, { "Sid": "AllowIAMIdentityCenterAdminToDescribeTheKMSKey", "Effect": "Allow", "Principal": { "AWS": "${Admin_IAM_principal}" }, "Action": "kms:DescribeKey", "Resource": "*" } ] }
Service access policy
The following policy statement template allows a specific instance of IAM Identity Center and its associated Identity Store to use the KMS key.
To use this policy:
Replace the example IAM Identity Center instance ARN with your actual instance ARN
Replace the example Identity Store ARN with your actual Identity Store ARN
If you need help finding the values of these identifiers, see Find the required identifiers.
Once you have updated the template with your values, return to Step 2: Prepare KMS key policy statements to prepare additional KMS key policy statements, as needed.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowSpecificIAMIdentityCenterToUseTheKMSKey", "Effect": "Allow", "Principal": { "Service": "sso.amazonaws.com" }, "Action": [ "kms:Decrypt", "kms:ReEncryptTo", "kms:ReEncryptFrom", "kms:GenerateDataKeyWithoutPlaintext" ], "Resource": "*", "Condition": { "StringLike": { "kms:EncryptionContext:aws:sso:instance-arn": "${identity_center_arn}" } } }, { "Sid": "AllowSpecificIAMIdentityStoreToUseTheKMSKey", "Effect": "Allow", "Principal": { "Service": "identitystore.amazonaws.com" }, "Action": [ "kms:Decrypt", "kms:ReEncryptTo", "kms:ReEncryptFrom", "kms:GenerateDataKeyWithoutPlaintext" ], "Resource": "*", "Condition": { "StringLike": { "kms:EncryptionContext:aws:identitystore:identitystore-arn": "${identity_store_arn}" } } }, { "Sid": "AllowIAMIdentityCenterAndIdentityStoreToDescribeKMSKey", "Effect": "Allow", "Principal": { "Service": [ "identitystore.amazonaws.com", "sso.amazonaws.com" ] }, "Action": "kms:DescribeKey", "Resource": "*" } ] }
KMS policy statements for read-only use of a specific IAM Identity Center instance
This policy allows security auditors
To use this policy:
Replace the example read-only administrator IAM principals with your actual administrator IAM principals
Replace the example IAM Identity Center instance ARN with your actual instance ARN
Replace the example Identity Store ARN with your actual Identity Store ARN
If using delegated administration
, see Step 4: Configure IAM policies for cross-account use of the KMS key
If you need help finding the values of these identifiers, see Find the required identifiers.
Once you have updated the template with your values, return to Step 2: Prepare KMS key policy statements to prepare additional KMS key policy statements, as needed.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowReadOnlyAccessToIdentityCenterAPI", "Effect": "Allow", "Principal": { "AWS": "${Admin_IAM_principal}" }, "Action": "kms:Decrypt", "Resource": "*", "Condition": { "StringLike": { "kms:EncryptionContext:aws:sso:instance-arn": "${identity_center_arn}", "kms:ViaService": "sso.*.amazonaws.com" } } }, { "Sid": "AllowReadOnlyAccessToIdentityStoreAPI", "Effect": "Allow", "Principal": { "AWS": "${Admin_IAM_principal}" }, "Action": "kms:Decrypt", "Resource": "*", "Condition": { "StringLike": { "kms:ViaService": "identitystore.*.amazonaws.com", "kms:EncryptionContext:aws:identitystore:identitystore-arn": "${identity_store_arn}" } } } ] }
Refined KMS key policy statements for use of Amazon managed applications
These policy templates provide more granular control over which Amazon managed applications can use your KMS key.
Note
Some Amazon managed applications cannot be used with IAM Identity Center configured with a customer managed KMS key. See Amazon managed applications that you can use with IAM Identity Center
The Baseline KMS key and IAM policy statements for use of Amazon managed applications allow any Amazon managed application from any account in the same Amazon organization to use the KMS key. Use these refined policies to restrict access by:
Application service principal
Application instance ARNs
Amazon account IDs
Encryption context for specific IAM Identity Center instances
Note
A service principal is a unique identifier for an Amazon service, typically formatted as servicename.amazonaws.com (for example, elasticmapreduce.amazonaws.com for Amazon EMR).
Restrict by account
This KMS key policy statement template allows an Amazon managed application in specific Amazon accounts to use the KMS key using a specific IAM Identity Center instance.
To use this policy:
Replace the example service principal with your actual application service principal
Replace the example account IDs with your actual account IDs
Replace the example Identity Store ARN with your actual Identity Store ARN
Replace the example IAM Identity Center instance ARN with your actual instance ARN
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowServiceInSpecificAccountsToUseTheKMSKeyViaIdentityCenter", "Effect": "Allow", "Principal": { "Service": "${app_SPN_IAM_principal}" }, "Action": "kms:Decrypt", "Resource": "*", "Condition": { "StringEquals": { "aws:sourceAccount": [ "${account_id_1}", "${account_id_2}" ] }, "StringLike": { "kms:ViaService": "sso.*.amazonaws.com", "kms:EncryptionContext:aws:sso:instance-arn": "${identity_center_arn}" }, "Bool": { "aws:PrincipalIsAWSService": "true" } } }, { "Sid": "AllowServiceInSpecificAccountsToUseTheKMSKeyViaIdentityStore", "Effect": "Allow", "Principal": { "Service": "${app_SPN_IAM_principal}" }, "Action": "kms:Decrypt", "Resource": "*", "Condition": { "StringEquals": { "aws:sourceAccount": [ "${account_id_1}", "${account_id_2}" ] }, "StringLike": { "kms:ViaService": "identitystore.*.amazonaws.com", "kms:EncryptionContext:aws:identitystore:identitystore-arn": "${identity_store_arn}" }, "Bool": { "aws:PrincipalIsAWSService": "true" } } } ] }
Restrict by application instance
This KMS key policy statement template allows a specific Amazon managed application instance to use the KMS key using a specific IAM Identity Center instance.
To use this policy:
Replace the example service principal with your actual application service principal
Replace the example application ARN with your actual application instance ARN
Replace the example Identity Store ARN with your actual Identity Store ARN
Replace the example IAM Identity Center instance ARN with your actual instance ARN
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowSpecificAppInstanceToUseTheKMSKeyViaIdentityCenter", "Effect": "Allow", "Principal": { "Service": "${app_SPN_IAM_principal}" }, "Action": "kms:Decrypt", "Resource": "*", "Condition": { "StringEquals": { "aws:SourceARN": "${app_arn}" }, "StringLike": { "kms:ViaService": "sso.*.amazonaws.com", "kms:EncryptionContext:aws:sso:instance-arn": "${identity_center_arn}" }, "Bool": { "aws:PrincipalIsAWSService": "true" } } }, { "Sid": "AllowSpecificAppInstanceToUseTheKMSKeyViaIdentityStore", "Effect": "Allow", "Principal": { "Service": "${app_SPN_IAM_principal}" }, "Action": "kms:Decrypt", "Resource": "*", "Condition": { "StringEquals": { "aws:SourceARN": "${app_arn}" }, "StringLike": { "kms:ViaService": "identitystore.*.amazonaws.com", "kms:EncryptionContext:aws:identitystore:identitystore-arn": "${identity_store_arn}" }, "Bool": { "aws:PrincipalIsAWSService": "true" } } } ] }