Permissions to Use User-Generated KMS Master Keys - Amazon Kinesis Data Streams
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Permissions to Use User-Generated KMS Master Keys

Before you can use server-side encryption with a user-generated KMS master key, you must configure Amazon KMS key policies to allow encryption of streams and encryption and decryption of stream records. For examples and more information about Amazon KMS permissions, see Amazon KMS API Permissions: Actions and Resources Reference.


The use of the default service key for encryption does not require application of custom IAM permissions.

Before you use user-generated KMS master keys, ensure that your Kinesis stream producers and consumers (IAM principals) are users in the KMS master key policy. Otherwise, writes and reads from a stream will fail, which could ultimately result in data loss, delayed processing, or hung applications. You can manage permissions for KMS keys using IAM policies. For more information, see Using IAM Policies with Amazon KMS.

Example Producer Permissions

Your Kinesis stream producers must have the kms:GenerateDataKey permission.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kms:GenerateDataKey" ], "Resource": "arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab" }, { "Effect": "Allow", "Action": [ "kinesis:PutRecord", "kinesis:PutRecords" ], "Resource": "arn:aws:kinesis:*:123456789012:MyStream" } ] }

Example Consumer Permissions

Your Kinesis stream consumers must have the kms:Decrypt permission.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": "arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab" }, { "Effect": "Allow", "Action": [ "kinesis:GetRecords", "kinesis:DescribeStream" ], "Resource": "arn:aws:kinesis:*:123456789012:MyStream" } ] }

Amazon Managed Service for Apache Flink and Amazon Lambda use roles to consume Kinesis streams. Make sure to add the kms:Decrypt permission to the roles that these consumers use.

Stream Administrator Permissions

Kinesis stream administrators must have authorization to call kms:List* and kms:DescribeKey*.