View a markdown version of this page

Actions, resources, and condition keys for Amazon Key Management Service - Service Authorization Reference
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Actions, resources, and condition keys for Amazon Key Management Service

Amazon Key Management Service (service prefix: kms) provides the following service-specific operations, resources, actions, and condition keys for use in IAM permission policies.

References:

API operations defined by Amazon Key Management Service

The following table maps API operations to the IAM actions they authorize. Only condition keys that have static values for the given API and action are listed; for the full set of condition keys supported by each action, see the Actions table.

Operation IAM action Condition key Possible value(s) Access level

CancelKeyDeletion

kms:CancelKeyDeletion

Write

ConnectCustomKeyStore

kms:ConnectCustomKeyStore

Write

CreateAlias

kms:CreateAlias

Write

CreateCustomKeyStore

kms:CreateCustomKeyStore

Write

CreateGrant

kms:CreateGrant

Permissions management, Write

CreateKey

kms:CreateKey

Write

kms:PutKeyPolicy

Permissions management, Write

kms:TagResource

Tagging, Write

Decrypt

kms:Decrypt

Write

DeleteAlias

kms:DeleteAlias

Write

DeleteCustomKeyStore

kms:DeleteCustomKeyStore

Write

DeleteImportedKeyMaterial

kms:DeleteImportedKeyMaterial

Write

DeriveSharedSecret

kms:DeriveSharedSecret

Write

DescribeCustomKeyStores

kms:DescribeCustomKeyStores

Read

DescribeKey

kms:DescribeKey

Read

DisableKey

kms:DisableKey

Write

DisableKeyRotation

kms:DisableKeyRotation

Write

DisconnectCustomKeyStore

kms:DisconnectCustomKeyStore

Write

EnableKey

kms:EnableKey

Write

EnableKeyRotation

kms:EnableKeyRotation

Write

Encrypt

kms:Encrypt

Write

GenerateDataKey

kms:GenerateDataKey

Write

GenerateDataKeyPair

kms:GenerateDataKeyPair

Write

GenerateDataKeyPairWithoutPlaintext

kms:GenerateDataKeyPairWithoutPlaintext

Write

GenerateDataKeyWithoutPlaintext

kms:GenerateDataKeyWithoutPlaintext

Write

GenerateMac

kms:GenerateMac

Write

GenerateRandom

kms:GenerateRandom

Write

GetKeyLastUsage

kms:GetKeyLastUsage

Read

GetKeyPolicy

kms:GetKeyPolicy

Read

GetKeyRotationStatus

kms:GetKeyRotationStatus

Read

GetParametersForImport

kms:GetParametersForImport

Read

GetPublicKey

kms:GetPublicKey

Read

ImportKeyMaterial

kms:ImportKeyMaterial

Write

ListAliases

kms:ListAliases

List

ListGrants

kms:ListGrants

List

ListKeyPolicies

kms:ListKeyPolicies

List

ListKeyRotations

kms:ListKeyRotations

List

ListKeys

kms:ListKeys

List

ListResourceTags

kms:ListResourceTags

List

ListRetirableGrants

kms:ListRetirableGrants

List

PutKeyPolicy

kms:PutKeyPolicy

Permissions management, Write

ReEncrypt

kms:ReEncryptFrom

Write

kms:ReEncryptTo

Write

ReplicateKey

kms:ReplicateKey

Write

RetireGrant

kms:RetireGrant

Permissions management, Write

RevokeGrant

kms:RevokeGrant

Permissions management, Write

RotateKeyOnDemand

kms:RotateKeyOnDemand

Write

ScheduleKeyDeletion

kms:ScheduleKeyDeletion

Write

Sign

kms:Sign

Write

TagResource

kms:TagResource

Tagging, Write

UntagResource

kms:UntagResource

Tagging, Write

UpdateAlias

kms:UpdateAlias

Write

UpdateCustomKeyStore

kms:UpdateCustomKeyStore

Write

UpdateKeyDescription

kms:UpdateKeyDescription

Write

UpdatePrimaryRegion

kms:UpdatePrimaryRegion

Write

Verify

kms:Verify

Write

VerifyMac

kms:VerifyMac

Write

Actions defined by Amazon Key Management Service

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in Amazon. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

Actions Description Resource types (*required) Condition keys Access level

CancelKeyDeletion

Controls permission to cancel the scheduled deletion of an Amazon KMS key

key*

aws:ResourceTag/${TagKey}

kms:CallerAccount

kms:KeyOrigin

kms:KeySpec

kms:KeyUsage

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

kms:ViaService

Write

ConnectCustomKeyStore

Controls permission to connect or reconnect a custom key store to its associated Amazon CloudHSM cluster or external key manager outside of Amazon

kms:CallerAccount

Write

CreateAlias

Controls permission to create an alias for an Amazon KMS key. Aliases are optional friendly names that you can associate with KMS keys

alias*

kms:CallerAccount

kms:ViaService

Write

key*

aws:ResourceTag/${TagKey}

kms:CallerAccount

kms:KeyOrigin

kms:KeySpec

kms:KeyUsage

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

kms:ViaService

CreateCustomKeyStore

Controls permission to create a custom key store that is backed by an Amazon CloudHSM cluster or an external key manager outside of Amazon

kms:CallerAccount

Write

CreateGrant

Controls permission to add a grant to an Amazon KMS key. You can use grants to add permissions without changing the key policy or IAM policy

key*

aws:ResourceTag/${TagKey}

kms:CallerAccount

kms:EncryptionContext:${EncryptionContextKey}

kms:EncryptionContextKeys

kms:GrantConstraintSourceArn

kms:GrantConstraintType

kms:GranteePrincipal

kms:GranteeServicePrincipal

kms:GrantIsForAWSResource

kms:GrantOperations

kms:KeyOrigin

kms:KeySpec

kms:KeyUsage

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

kms:RetiringPrincipal

kms:RetiringServicePrincipal

kms:ViaService

Permissions management, Write

CreateKey

Controls permission to create an Amazon KMS key that can be used to protect data keys and other sensitive information

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

kms:BypassPolicyLockoutSafetyCheck

kms:CallerAccount

kms:KeyOrigin

kms:KeySpec

kms:KeyUsage

kms:MultiRegion

kms:MultiRegionKeyType

kms:ViaService

Write

Decrypt

Controls permission to decrypt ciphertext that was encrypted under an Amazon KMS key

key*

aws:ResourceTag/${TagKey}

kms:CallerAccount

kms:EncryptionAlgorithm

kms:EncryptionContext:${EncryptionContextKey}

kms:EncryptionContextKeys

kms:KeyOrigin

kms:KeySpec

kms:KeyUsage

kms:MultiRegion

kms:MultiRegionKeyType

kms:RecipientAttestation:ImageSha384

kms:RecipientAttestation:NitroTPMPCR0

kms:RecipientAttestation:NitroTPMPCR1

kms:RecipientAttestation:NitroTPMPCR10

kms:RecipientAttestation:NitroTPMPCR11

kms:RecipientAttestation:NitroTPMPCR12

kms:RecipientAttestation:NitroTPMPCR13

kms:RecipientAttestation:NitroTPMPCR14

kms:RecipientAttestation:NitroTPMPCR15

kms:RecipientAttestation:NitroTPMPCR16

kms:RecipientAttestation:NitroTPMPCR17

kms:RecipientAttestation:NitroTPMPCR18

kms:RecipientAttestation:NitroTPMPCR19

kms:RecipientAttestation:NitroTPMPCR2

kms:RecipientAttestation:NitroTPMPCR20

kms:RecipientAttestation:NitroTPMPCR21

kms:RecipientAttestation:NitroTPMPCR22

kms:RecipientAttestation:NitroTPMPCR23

kms:RecipientAttestation:NitroTPMPCR3

kms:RecipientAttestation:NitroTPMPCR4

kms:RecipientAttestation:NitroTPMPCR5

kms:RecipientAttestation:NitroTPMPCR6

kms:RecipientAttestation:NitroTPMPCR7

kms:RecipientAttestation:NitroTPMPCR8

kms:RecipientAttestation:NitroTPMPCR9

kms:RecipientAttestation:PCR0

kms:RecipientAttestation:PCR1

kms:RecipientAttestation:PCR10

kms:RecipientAttestation:PCR11

kms:RecipientAttestation:PCR12

kms:RecipientAttestation:PCR13

kms:RecipientAttestation:PCR14

kms:RecipientAttestation:PCR15

kms:RecipientAttestation:PCR16

kms:RecipientAttestation:PCR17

kms:RecipientAttestation:PCR18

kms:RecipientAttestation:PCR19

kms:RecipientAttestation:PCR2

kms:RecipientAttestation:PCR20

kms:RecipientAttestation:PCR21

kms:RecipientAttestation:PCR22

kms:RecipientAttestation:PCR23

kms:RecipientAttestation:PCR24

kms:RecipientAttestation:PCR25

kms:RecipientAttestation:PCR26

kms:RecipientAttestation:PCR27

kms:RecipientAttestation:PCR28

kms:RecipientAttestation:PCR29

kms:RecipientAttestation:PCR3

kms:RecipientAttestation:PCR30

kms:RecipientAttestation:PCR31

kms:RecipientAttestation:PCR4

kms:RecipientAttestation:PCR5

kms:RecipientAttestation:PCR6

kms:RecipientAttestation:PCR7

kms:RecipientAttestation:PCR8

kms:RecipientAttestation:PCR9

kms:RequestAlias

kms:ResourceAliases

kms:ViaService

Write

DeleteAlias

Controls permission to delete an alias. Aliases are optional friendly names that you can associate with Amazon KMS keys

alias*

kms:CallerAccount

kms:ViaService

Write

key*

aws:ResourceTag/${TagKey}

kms:CallerAccount

kms:KeyOrigin

kms:KeySpec

kms:KeyUsage

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

kms:ViaService

DeleteCustomKeyStore

Controls permission to delete a custom key store

kms:CallerAccount

Write

DeleteImportedKeyMaterial

Controls permission to delete cryptographic material that you imported into an Amazon KMS key. This action makes the key unusable

key*

aws:ResourceTag/${TagKey}

kms:CallerAccount

kms:KeyOrigin

kms:KeySpec

kms:KeyUsage

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

kms:ViaService

Write

DeriveSharedSecret

Controls permission to use the specified Amazon KMS key to derive shared secrets

key*

aws:ResourceTag/${TagKey}

kms:CallerAccount

kms:KeyAgreementAlgorithm

kms:KeyOrigin

kms:KeySpec

kms:KeyUsage

kms:MultiRegion

kms:MultiRegionKeyType

kms:RecipientAttestation:ImageSha384

kms:RecipientAttestation:NitroTPMPCR0

kms:RecipientAttestation:NitroTPMPCR1

kms:RecipientAttestation:NitroTPMPCR10

kms:RecipientAttestation:NitroTPMPCR11

kms:RecipientAttestation:NitroTPMPCR12

kms:RecipientAttestation:NitroTPMPCR13

kms:RecipientAttestation:NitroTPMPCR14

kms:RecipientAttestation:NitroTPMPCR15

kms:RecipientAttestation:NitroTPMPCR16

kms:RecipientAttestation:NitroTPMPCR17

kms:RecipientAttestation:NitroTPMPCR18

kms:RecipientAttestation:NitroTPMPCR19

kms:RecipientAttestation:NitroTPMPCR2

kms:RecipientAttestation:NitroTPMPCR20

kms:RecipientAttestation:NitroTPMPCR21

kms:RecipientAttestation:NitroTPMPCR22

kms:RecipientAttestation:NitroTPMPCR23

kms:RecipientAttestation:NitroTPMPCR3

kms:RecipientAttestation:NitroTPMPCR4

kms:RecipientAttestation:NitroTPMPCR5

kms:RecipientAttestation:NitroTPMPCR6

kms:RecipientAttestation:NitroTPMPCR7

kms:RecipientAttestation:NitroTPMPCR8

kms:RecipientAttestation:NitroTPMPCR9

kms:RecipientAttestation:PCR0

kms:RecipientAttestation:PCR1

kms:RecipientAttestation:PCR10

kms:RecipientAttestation:PCR11

kms:RecipientAttestation:PCR12

kms:RecipientAttestation:PCR13

kms:RecipientAttestation:PCR14

kms:RecipientAttestation:PCR15

kms:RecipientAttestation:PCR16

kms:RecipientAttestation:PCR17

kms:RecipientAttestation:PCR18

kms:RecipientAttestation:PCR19

kms:RecipientAttestation:PCR2

kms:RecipientAttestation:PCR20

kms:RecipientAttestation:PCR21

kms:RecipientAttestation:PCR22

kms:RecipientAttestation:PCR23

kms:RecipientAttestation:PCR24

kms:RecipientAttestation:PCR25

kms:RecipientAttestation:PCR26

kms:RecipientAttestation:PCR27

kms:RecipientAttestation:PCR28

kms:RecipientAttestation:PCR29

kms:RecipientAttestation:PCR3

kms:RecipientAttestation:PCR30

kms:RecipientAttestation:PCR31

kms:RecipientAttestation:PCR4

kms:RecipientAttestation:PCR5

kms:RecipientAttestation:PCR6

kms:RecipientAttestation:PCR7

kms:RecipientAttestation:PCR8

kms:RecipientAttestation:PCR9

kms:RequestAlias

kms:ResourceAliases

kms:ViaService

Write

DescribeCustomKeyStores

Controls permission to view detailed information about custom key stores in the account and region

kms:CallerAccount

Read

DescribeKey

Controls permission to view detailed information about an Amazon KMS key

key*

aws:ResourceTag/${TagKey}

kms:CallerAccount

kms:KeyOrigin

kms:KeySpec

kms:KeyUsage

kms:MultiRegion

kms:MultiRegionKeyType

kms:RequestAlias

kms:ResourceAliases

kms:ViaService

Read

DisableKey

Controls permission to disable an Amazon KMS key, which prevents it from being used in cryptographic operations

key*

aws:ResourceTag/${TagKey}

kms:CallerAccount

kms:KeyOrigin

kms:KeySpec

kms:KeyUsage

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

kms:TrailingDaysWithoutKeyUsage

kms:ViaService

Write

DisableKeyRotation

Controls permission to disable automatic rotation of a customer managed Amazon KMS key

key*

aws:ResourceTag/${TagKey}

kms:CallerAccount

kms:KeyOrigin

kms:KeySpec

kms:KeyUsage

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

kms:ViaService

Write

DisconnectCustomKeyStore

Controls permission to disconnect the custom key store from its associated Amazon CloudHSM cluster or external key manager outside of Amazon

kms:CallerAccount

Write

EnableKey

Controls permission to change the state of an Amazon KMS key to enabled. This allows the KMS key to be used in cryptographic operations

key*

aws:ResourceTag/${TagKey}

kms:CallerAccount

kms:KeyOrigin

kms:KeySpec

kms:KeyUsage

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

kms:ViaService

Write

EnableKeyRotation

Controls permission to enable automatic rotation of the cryptographic material in an Amazon KMS key

key*

aws:ResourceTag/${TagKey}

kms:CallerAccount

kms:KeyOrigin

kms:KeySpec

kms:KeyUsage

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

kms:RotationPeriodInDays

kms:ViaService

Write

Encrypt

Controls permission to use the specified Amazon KMS key to encrypt data and data keys

key*

aws:ResourceTag/${TagKey}

kms:CallerAccount

kms:EncryptionAlgorithm

kms:EncryptionContext:${EncryptionContextKey}

kms:EncryptionContextKeys

kms:KeyOrigin

kms:KeySpec

kms:KeyUsage

kms:MultiRegion

kms:MultiRegionKeyType

kms:RequestAlias

kms:ResourceAliases

kms:ViaService

Write

GenerateDataKey

Controls permission to use the Amazon KMS key to generate data keys. You can use the data keys to encrypt data outside of Amazon KMS

key*

aws:ResourceTag/${TagKey}

kms:CallerAccount

kms:EncryptionAlgorithm

kms:EncryptionContext:${EncryptionContextKey}

kms:EncryptionContextKeys

kms:KeyOrigin

kms:KeySpec

kms:KeyUsage

kms:MultiRegion

kms:MultiRegionKeyType

kms:RecipientAttestation:ImageSha384

kms:RecipientAttestation:NitroTPMPCR0

kms:RecipientAttestation:NitroTPMPCR1

kms:RecipientAttestation:NitroTPMPCR10

kms:RecipientAttestation:NitroTPMPCR11

kms:RecipientAttestation:NitroTPMPCR12

kms:RecipientAttestation:NitroTPMPCR13

kms:RecipientAttestation:NitroTPMPCR14

kms:RecipientAttestation:NitroTPMPCR15

kms:RecipientAttestation:NitroTPMPCR16

kms:RecipientAttestation:NitroTPMPCR17

kms:RecipientAttestation:NitroTPMPCR18

kms:RecipientAttestation:NitroTPMPCR19

kms:RecipientAttestation:NitroTPMPCR2

kms:RecipientAttestation:NitroTPMPCR20

kms:RecipientAttestation:NitroTPMPCR21

kms:RecipientAttestation:NitroTPMPCR22

kms:RecipientAttestation:NitroTPMPCR23

kms:RecipientAttestation:NitroTPMPCR3

kms:RecipientAttestation:NitroTPMPCR4

kms:RecipientAttestation:NitroTPMPCR5

kms:RecipientAttestation:NitroTPMPCR6

kms:RecipientAttestation:NitroTPMPCR7

kms:RecipientAttestation:NitroTPMPCR8

kms:RecipientAttestation:NitroTPMPCR9

kms:RecipientAttestation:PCR0

kms:RecipientAttestation:PCR1

kms:RecipientAttestation:PCR10

kms:RecipientAttestation:PCR11

kms:RecipientAttestation:PCR12

kms:RecipientAttestation:PCR13

kms:RecipientAttestation:PCR14

kms:RecipientAttestation:PCR15

kms:RecipientAttestation:PCR16

kms:RecipientAttestation:PCR17

kms:RecipientAttestation:PCR18

kms:RecipientAttestation:PCR19

kms:RecipientAttestation:PCR2

kms:RecipientAttestation:PCR20

kms:RecipientAttestation:PCR21

kms:RecipientAttestation:PCR22

kms:RecipientAttestation:PCR23

kms:RecipientAttestation:PCR24

kms:RecipientAttestation:PCR25

kms:RecipientAttestation:PCR26

kms:RecipientAttestation:PCR27

kms:RecipientAttestation:PCR28

kms:RecipientAttestation:PCR29

kms:RecipientAttestation:PCR3

kms:RecipientAttestation:PCR30

kms:RecipientAttestation:PCR31

kms:RecipientAttestation:PCR4

kms:RecipientAttestation:PCR5

kms:RecipientAttestation:PCR6

kms:RecipientAttestation:PCR7

kms:RecipientAttestation:PCR8

kms:RecipientAttestation:PCR9

kms:RequestAlias

kms:ResourceAliases

kms:ViaService

Write

GenerateDataKeyPair

Controls permission to use the Amazon KMS key to generate data key pairs

key*

aws:ResourceTag/${TagKey}

kms:CallerAccount

kms:DataKeyPairSpec

kms:EncryptionAlgorithm

kms:EncryptionContext:${EncryptionContextKey}

kms:EncryptionContextKeys

kms:KeyOrigin

kms:KeySpec

kms:KeyUsage

kms:MultiRegion

kms:MultiRegionKeyType

kms:RecipientAttestation:ImageSha384

kms:RecipientAttestation:NitroTPMPCR0

kms:RecipientAttestation:NitroTPMPCR1

kms:RecipientAttestation:NitroTPMPCR10

kms:RecipientAttestation:NitroTPMPCR11

kms:RecipientAttestation:NitroTPMPCR12

kms:RecipientAttestation:NitroTPMPCR13

kms:RecipientAttestation:NitroTPMPCR14

kms:RecipientAttestation:NitroTPMPCR15

kms:RecipientAttestation:NitroTPMPCR16

kms:RecipientAttestation:NitroTPMPCR17

kms:RecipientAttestation:NitroTPMPCR18

kms:RecipientAttestation:NitroTPMPCR19

kms:RecipientAttestation:NitroTPMPCR2

kms:RecipientAttestation:NitroTPMPCR20

kms:RecipientAttestation:NitroTPMPCR21

kms:RecipientAttestation:NitroTPMPCR22

kms:RecipientAttestation:NitroTPMPCR23

kms:RecipientAttestation:NitroTPMPCR3

kms:RecipientAttestation:NitroTPMPCR4

kms:RecipientAttestation:NitroTPMPCR5

kms:RecipientAttestation:NitroTPMPCR6

kms:RecipientAttestation:NitroTPMPCR7

kms:RecipientAttestation:NitroTPMPCR8

kms:RecipientAttestation:NitroTPMPCR9

kms:RecipientAttestation:PCR0

kms:RecipientAttestation:PCR1

kms:RecipientAttestation:PCR10

kms:RecipientAttestation:PCR11

kms:RecipientAttestation:PCR12

kms:RecipientAttestation:PCR13

kms:RecipientAttestation:PCR14

kms:RecipientAttestation:PCR15

kms:RecipientAttestation:PCR16

kms:RecipientAttestation:PCR17

kms:RecipientAttestation:PCR18

kms:RecipientAttestation:PCR19

kms:RecipientAttestation:PCR2

kms:RecipientAttestation:PCR20

kms:RecipientAttestation:PCR21

kms:RecipientAttestation:PCR22

kms:RecipientAttestation:PCR23

kms:RecipientAttestation:PCR24

kms:RecipientAttestation:PCR25

kms:RecipientAttestation:PCR26

kms:RecipientAttestation:PCR27

kms:RecipientAttestation:PCR28

kms:RecipientAttestation:PCR29

kms:RecipientAttestation:PCR3

kms:RecipientAttestation:PCR30

kms:RecipientAttestation:PCR31

kms:RecipientAttestation:PCR4

kms:RecipientAttestation:PCR5

kms:RecipientAttestation:PCR6

kms:RecipientAttestation:PCR7

kms:RecipientAttestation:PCR8

kms:RecipientAttestation:PCR9

kms:RequestAlias

kms:ResourceAliases

kms:ViaService

Write

GenerateDataKeyPairWithoutPlaintext

Controls permission to use the Amazon KMS key to generate data key pairs. Unlike the GenerateDataKeyPair operation, this operation returns an encrypted private key without a plaintext copy

key*

aws:ResourceTag/${TagKey}

kms:CallerAccount

kms:DataKeyPairSpec

kms:EncryptionAlgorithm

kms:EncryptionContext:${EncryptionContextKey}

kms:EncryptionContextKeys

kms:KeyOrigin

kms:KeySpec

kms:KeyUsage

kms:MultiRegion

kms:MultiRegionKeyType

kms:RequestAlias

kms:ResourceAliases

kms:ViaService

Write

GenerateDataKeyWithoutPlaintext

Controls permission to use the Amazon KMS key to generate a data key. Unlike the GenerateDataKey operation, this operation returns an encrypted data key without a plaintext version of the data key

key*

aws:ResourceTag/${TagKey}

kms:CallerAccount

kms:EncryptionAlgorithm

kms:EncryptionContext:${EncryptionContextKey}

kms:EncryptionContextKeys

kms:KeyOrigin

kms:KeySpec

kms:KeyUsage

kms:MultiRegion

kms:MultiRegionKeyType

kms:RequestAlias

kms:ResourceAliases

kms:ViaService

Write

GenerateMac

Controls permission to use the Amazon KMS key to generate message authentication codes

key*

aws:ResourceTag/${TagKey}

kms:CallerAccount

kms:KeyOrigin

kms:KeySpec

kms:KeyUsage

kms:MacAlgorithm

kms:MultiRegion

kms:MultiRegionKeyType

kms:RequestAlias

kms:ResourceAliases

kms:ViaService

Write

GenerateRandom

Controls permission to get a cryptographically secure random byte string from Amazon KMS

kms:RecipientAttestation:ImageSha384

kms:RecipientAttestation:NitroTPMPCR0

kms:RecipientAttestation:NitroTPMPCR1

kms:RecipientAttestation:NitroTPMPCR10

kms:RecipientAttestation:NitroTPMPCR11

kms:RecipientAttestation:NitroTPMPCR12

kms:RecipientAttestation:NitroTPMPCR13

kms:RecipientAttestation:NitroTPMPCR14

kms:RecipientAttestation:NitroTPMPCR15

kms:RecipientAttestation:NitroTPMPCR16

kms:RecipientAttestation:NitroTPMPCR17

kms:RecipientAttestation:NitroTPMPCR18

kms:RecipientAttestation:NitroTPMPCR19

kms:RecipientAttestation:NitroTPMPCR2

kms:RecipientAttestation:NitroTPMPCR20

kms:RecipientAttestation:NitroTPMPCR21

kms:RecipientAttestation:NitroTPMPCR22

kms:RecipientAttestation:NitroTPMPCR23

kms:RecipientAttestation:NitroTPMPCR3

kms:RecipientAttestation:NitroTPMPCR4

kms:RecipientAttestation:NitroTPMPCR5

kms:RecipientAttestation:NitroTPMPCR6

kms:RecipientAttestation:NitroTPMPCR7

kms:RecipientAttestation:NitroTPMPCR8

kms:RecipientAttestation:NitroTPMPCR9

kms:RecipientAttestation:PCR0

kms:RecipientAttestation:PCR1

kms:RecipientAttestation:PCR10

kms:RecipientAttestation:PCR11

kms:RecipientAttestation:PCR12

kms:RecipientAttestation:PCR13

kms:RecipientAttestation:PCR14

kms:RecipientAttestation:PCR15

kms:RecipientAttestation:PCR16

kms:RecipientAttestation:PCR17

kms:RecipientAttestation:PCR18

kms:RecipientAttestation:PCR19

kms:RecipientAttestation:PCR2

kms:RecipientAttestation:PCR20

kms:RecipientAttestation:PCR21

kms:RecipientAttestation:PCR22

kms:RecipientAttestation:PCR23

kms:RecipientAttestation:PCR24

kms:RecipientAttestation:PCR25

kms:RecipientAttestation:PCR26

kms:RecipientAttestation:PCR27

kms:RecipientAttestation:PCR28

kms:RecipientAttestation:PCR29

kms:RecipientAttestation:PCR3

kms:RecipientAttestation:PCR30

kms:RecipientAttestation:PCR31

kms:RecipientAttestation:PCR4

kms:RecipientAttestation:PCR5

kms:RecipientAttestation:PCR6

kms:RecipientAttestation:PCR7

kms:RecipientAttestation:PCR8

kms:RecipientAttestation:PCR9

Write

GetKeyLastUsage

Controls permission to view the last usage of an Amazon KMS key

key*

aws:ResourceTag/${TagKey}

kms:CallerAccount

kms:KeyOrigin

kms:KeySpec

kms:KeyUsage

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

kms:ViaService

Read

GetKeyPolicy

Controls permission to view the key policy for the specified Amazon KMS key

key*

aws:ResourceTag/${TagKey}

kms:CallerAccount

kms:KeyOrigin

kms:KeySpec

kms:KeyUsage

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

kms:ViaService

Read

GetKeyRotationStatus

Controls permission to view the key rotation status for an Amazon KMS key

key*

aws:ResourceTag/${TagKey}

kms:CallerAccount

kms:KeyOrigin

kms:KeySpec

kms:KeyUsage

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

kms:ViaService

Read

GetParametersForImport

Controls permission to get data that is required to import cryptographic material into a customer managed key, including a public key and import token

key*

aws:ResourceTag/${TagKey}

kms:CallerAccount

kms:KeyOrigin

kms:KeySpec

kms:KeyUsage

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

kms:ViaService

kms:WrappingAlgorithm

kms:WrappingKeySpec

Read

GetPublicKey

Controls permission to download the public key of an asymmetric Amazon KMS key

key*

aws:ResourceTag/${TagKey}

kms:CallerAccount

kms:KeyOrigin

kms:KeySpec

kms:KeyUsage

kms:MultiRegion

kms:MultiRegionKeyType

kms:RequestAlias

kms:ResourceAliases

kms:ViaService

Read

ImportKeyMaterial

Controls permission to import cryptographic material into an Amazon KMS key

key*

aws:ResourceTag/${TagKey}

kms:CallerAccount

kms:ExpirationModel

kms:KeyOrigin

kms:KeySpec

kms:KeyUsage

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

kms:ValidTo

kms:ViaService

Write

ListAliases

Controls permission to view the aliases that are defined in the account. Aliases are optional friendly names that you can associate with Amazon KMS keys

List

ListGrants

Controls permission to view all grants for an Amazon KMS key

key*

aws:ResourceTag/${TagKey}

kms:CallerAccount

kms:GrantIsForAWSResource

kms:KeyOrigin

kms:KeySpec

kms:KeyUsage

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

kms:ViaService

List

ListKeyPolicies

Controls permission to view the names of key policies for an Amazon KMS key

key*

aws:ResourceTag/${TagKey}

kms:CallerAccount

kms:KeyOrigin

kms:KeySpec

kms:KeyUsage

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

kms:ViaService

List

ListKeyRotations

Controls permission to view the list of key materials for an Amazon KMS key

key*

aws:ResourceTag/${TagKey}

kms:CallerAccount

kms:KeyOrigin

kms:KeySpec

kms:KeyUsage

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

kms:ViaService

List

ListKeys

Controls permission to view the key ID and Amazon Resource Name (ARN) of all Amazon KMS keys in the account

List

ListResourceTags

Controls permission to view all tags that are attached to an Amazon KMS key

key*

aws:ResourceTag/${TagKey}

kms:CallerAccount

kms:KeyOrigin

kms:KeySpec

kms:KeyUsage

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

kms:ViaService

List

ListRetirableGrants

Controls permission to view grants in which the specified principal is the retiring principal. Other principals might be able to retire the grant and this principal might be able to retire other grants

List

PutKeyPolicy

Controls permission to replace the key policy for the specified Amazon KMS key

key*

aws:ResourceTag/${TagKey}

kms:BypassPolicyLockoutSafetyCheck

kms:CallerAccount

kms:KeyOrigin

kms:KeySpec

kms:KeyUsage

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

kms:ViaService

Permissions management, Write

ReEncryptFrom

Controls permission to decrypt data as part of the process that decrypts and reencrypts the data within Amazon KMS

key*

aws:ResourceTag/${TagKey}

kms:CallerAccount

kms:EncryptionAlgorithm

kms:EncryptionContext:${EncryptionContextKey}

kms:EncryptionContextKeys

kms:KeyOrigin

kms:KeySpec

kms:KeyUsage

kms:MultiRegion

kms:MultiRegionKeyType

kms:ReEncryptOnSameKey

kms:RequestAlias

kms:ResourceAliases

kms:ViaService

Write

ReEncryptTo

Controls permission to encrypt data as part of the process that decrypts and reencrypts the data within Amazon KMS

key*

aws:ResourceTag/${TagKey}

kms:CallerAccount

kms:EncryptionAlgorithm

kms:EncryptionContext:${EncryptionContextKey}

kms:EncryptionContextKeys

kms:KeyOrigin

kms:KeySpec

kms:KeyUsage

kms:MultiRegion

kms:MultiRegionKeyType

kms:ReEncryptOnSameKey

kms:RequestAlias

kms:ResourceAliases

kms:ViaService

Write

ReplicateKey

Controls permission to replicate a multi-Region primary key

key*

aws:ResourceTag/${TagKey}

kms:CallerAccount

kms:KeyOrigin

kms:KeySpec

kms:KeyUsage

kms:MultiRegion

kms:MultiRegionKeyType

kms:ReplicaRegion

kms:ResourceAliases

kms:ViaService

Write

RetireGrant

Controls permission to retire a grant. The RetireGrant operation is typically called by the grant user after they complete the tasks that the grant allowed them to perform

key*

aws:ResourceTag/${TagKey}

kms:CallerAccount

kms:EncryptionContext:${EncryptionContextKey}

kms:EncryptionContextKeys

kms:GrantConstraintType

kms:KeyOrigin

kms:KeySpec

kms:KeyUsage

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

kms:ViaService

Permissions management, Write

RevokeGrant

Controls permission to revoke a grant, which denies permission for all operations that depend on the grant

key*

aws:ResourceTag/${TagKey}

kms:CallerAccount

kms:GrantIsForAWSResource

kms:KeyOrigin

kms:KeySpec

kms:KeyUsage

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

kms:ViaService

Permissions management, Write

RotateKeyOnDemand

Controls permission to invoke on-demand rotation of the cryptographic material in an Amazon KMS key

key*

aws:ResourceTag/${TagKey}

kms:CallerAccount

kms:KeyOrigin

kms:KeySpec

kms:KeyUsage

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

kms:ViaService

Write

ScheduleKeyDeletion

Controls permission to schedule deletion of an Amazon KMS key

key*

aws:ResourceTag/${TagKey}

kms:CallerAccount

kms:KeyOrigin

kms:KeySpec

kms:KeyUsage

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

kms:ScheduleKeyDeletionPendingWindowInDays

kms:TrailingDaysWithoutKeyUsage

kms:ViaService

Write

Sign

Controls permission to produce a digital signature for a message

key*

aws:ResourceTag/${TagKey}

kms:CallerAccount

kms:KeyOrigin

kms:KeySpec

kms:KeyUsage

kms:MessageType

kms:MultiRegion

kms:MultiRegionKeyType

kms:RequestAlias

kms:ResourceAliases

kms:SigningAlgorithm

kms:ViaService

Write

TagResource

Controls permission to create or update tags that are attached to an Amazon KMS key

key*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

kms:CallerAccount

kms:KeyOrigin

kms:KeySpec

kms:KeyUsage

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

kms:ViaService

Tagging, Write

UntagResource

Controls permission to delete tags that are attached to an Amazon KMS key

key*

aws:ResourceTag/${TagKey}

aws:TagKeys

kms:CallerAccount

kms:KeyOrigin

kms:KeySpec

kms:KeyUsage

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

kms:ViaService

Tagging, Write

UpdateAlias

Controls permission to associate an alias with a different Amazon KMS key. An alias is an optional friendly name that you can associate with a KMS key

alias*

kms:CallerAccount

kms:ViaService

Write

key*

aws:ResourceTag/${TagKey}

kms:CallerAccount

kms:KeyOrigin

kms:KeySpec

kms:KeyUsage

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

kms:ViaService

UpdateCustomKeyStore

Controls permission to change the properties of a custom key store

kms:CallerAccount

Write

UpdateKeyDescription

Controls permission to delete or change the description of an Amazon KMS key

key*

aws:ResourceTag/${TagKey}

kms:CallerAccount

kms:KeyOrigin

kms:KeySpec

kms:KeyUsage

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

kms:ViaService

Write

UpdatePrimaryRegion

Controls permission to update the primary Region of a multi-Region primary key

key*

aws:ResourceTag/${TagKey}

kms:CallerAccount

kms:KeyOrigin

kms:KeySpec

kms:KeyUsage

kms:MultiRegion

kms:MultiRegionKeyType

kms:PrimaryRegion

kms:ResourceAliases

kms:ViaService

Write

Verify

Controls permission to use the specified Amazon KMS key to verify digital signatures

key*

aws:ResourceTag/${TagKey}

kms:CallerAccount

kms:KeyOrigin

kms:KeySpec

kms:KeyUsage

kms:MessageType

kms:MultiRegion

kms:MultiRegionKeyType

kms:RequestAlias

kms:ResourceAliases

kms:SigningAlgorithm

kms:ViaService

Write

VerifyMac

Controls permission to use the Amazon KMS key to verify message authentication codes

key*

aws:ResourceTag/${TagKey}

kms:CallerAccount

kms:KeyOrigin

kms:KeySpec

kms:KeyUsage

kms:MacAlgorithm

kms:MultiRegion

kms:MultiRegionKeyType

kms:RequestAlias

kms:ResourceAliases

kms:ViaService

Write

Permission-only actions for Amazon Key Management Service

The following actions are defined by Amazon Key Management Service but are not directly invocable through any API operation. They can only be used in IAM policy statements to grant or deny permissions.

Actions Description Resource types (*required) Condition keys Access level

SynchronizeMultiRegionKey

Controls access to internal APIs that synchronize multi-Region keys

key*

aws:ResourceTag/${TagKey}

kms:KeyOrigin

kms:KeySpec

kms:KeyUsage

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

Write

Resource types defined by Amazon Key Management Service

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements.

Resource types ARN Condition keys

alias

arn:${Partition}:kms:${Region}:${Account}:alias/${Alias}

key

arn:${Partition}:kms:${Region}:${Account}:key/${KeyId}

aws:ResourceTag/${TagKey}

kms:KeyOrigin

kms:KeySpec

kms:KeyUsage

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

Condition keys for Amazon Key Management Service

Amazon Key Management Service defines the following condition keys that can be used in the Condition element of an IAM policy.

Condition keys Description Type

aws:RequestTag/${TagKey}

Filters access to the specified Amazon KMS operations based on both the key and value of the tag in the request

String

aws:ResourceTag/${TagKey}

Filters access to the specified Amazon KMS operations based on tags assigned to the Amazon KMS key

String

aws:TagKeys

Filters access to the specified Amazon KMS operations based on tag keys in the request

ArrayOfString

kms:BypassPolicyLockoutSafetyCheck

Filters access to the CreateKey and PutKeyPolicy operations based on the value of the BypassPolicyLockoutSafetyCheck parameter in the request

Bool

kms:CallerAccount

Filters access to specified Amazon KMS operations based on the Amazon Web Services account ID of the caller. You can use this condition key to allow or deny access to all IAM users and roles in an Amazon Web Services account in a single policy statement

String

kms:CustomerMasterKeySpec

The kms:CustomerMasterKeySpec condition key is deprecated. Instead, use the kms:KeySpec condition key

String

kms:CustomerMasterKeyUsage

The kms:CustomerMasterKeyUsage condition key is deprecated. Instead, use the kms:KeyUsage condition key

String

kms:DataKeyPairSpec

Filters access to GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext operations based on the value of the KeyPairSpec parameter in the request

String

kms:EncryptionAlgorithm

Filters access to encryption operations based on the value of the encryption algorithm in the request

String

kms:EncryptionContext:${EncryptionContextKey}

Filters access to a symmetric Amazon KMS key based on the encryption context in a cryptographic operation. This condition evaluates the key and value in each key-value encryption context pair

String

kms:EncryptionContextKeys

Filters access to a symmetric Amazon KMS key based on the encryption context in a cryptographic operation. This condition key evaluates only the key in each key-value encryption context pair

ArrayOfString

kms:ExpirationModel

Filters access to the ImportKeyMaterial operation based on the value of the ExpirationModel parameter in the request

String

kms:GrantConstraintSourceArn

Filters access to the CreateGrant operation based on the value of SourceArn constraint in the request

ARN

kms:GrantConstraintType

Filters access to the CreateGrant operation based on the grant constraint in the request

String

kms:GrantIsForAWSResource

Filters access to the CreateGrant operation when the request comes from a specified Amazon service

Bool

kms:GrantOperations

Filters access to the CreateGrant operation based on the operations in the grant

ArrayOfString

kms:GranteePrincipal

Filters access to the CreateGrant operation based on the grantee principal in the grant

String

kms:GranteeServicePrincipal

Filters access to the CreateGrant operation based on the value of GranteeServicePrincipal in the request

String

kms:KeyAgreementAlgorithm

Filters access to the DeriveSharedSecret operation based on the value of the KeyAgreementAlgorithm parameter in the request

String

kms:KeyOrigin

Filters access to an API operation based on the Origin property of the Amazon KMS key created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a KMS key

String

kms:KeySpec

Filters access to an API operation based on the KeySpec property of the Amazon KMS key that is created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a KMS key resource

String

kms:KeyUsage

Filters access to an API operation based on the KeyUsage property of the Amazon KMS key created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a KMS key resource

String

kms:MacAlgorithm

Filters access to the GenerateMac and VerifyMac operations based on the MacAlgorithm parameter in the request

String

kms:MessageType

Filters access to the Sign and Verify operations based on the value of the MessageType parameter in the request

String

kms:MultiRegion

Filters access to an API operation based on the MultiRegion property of the Amazon KMS key created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a KMS key resource

Bool

kms:MultiRegionKeyType

Filters access to an API operation based on the MultiRegionKeyType property of the Amazon KMS key created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a KMS key resource

String

kms:PrimaryRegion

Filters access to the UpdatePrimaryRegion operation based on the value of the PrimaryRegion parameter in the request

String

kms:ReEncryptOnSameKey

Filters access to the ReEncrypt operation when it uses the same Amazon KMS key that was used for the Encrypt operation

Bool

kms:RecipientAttestation:ImageSha384

Filters access to the API operations based on the image hash in the attestation document in the request

String

kms:RecipientAttestation:NitroTPMPCR0

Filters access by the platform configuration register (PCR) 0 in the attestation document in the request. PCR0 is a contiguous measure of core system firmware executable code

String

kms:RecipientAttestation:NitroTPMPCR1

Filters access by the platform configuration register (PCR) 1 in the attestation document in the request. PCR1 is a contiguous measure of core system firmware data/host platform configuration, typically including serial and model numbers

String

kms:RecipientAttestation:NitroTPMPCR10

Filters access by the platform configuration register (PCR) 10 in the attestation document in the request. PCR10 is a contiguous measure of protection of the IMA measurement log

String

kms:RecipientAttestation:NitroTPMPCR11

Filters access by the platform configuration register (PCR) 11 in the attestation document in the request. PCR11 is a contiguous measure of all components of unified kernel images (UKIs)

String

kms:RecipientAttestation:NitroTPMPCR12

Filters access by the platform configuration register (PCR) 12 in the attestation document in the request. PCR12 is a contiguous measure of kernel command line, system credentials and system configuration images

String

kms:RecipientAttestation:NitroTPMPCR13

Filters access by the platform configuration register (PCR) 13 in the attestation document in the request. PCR13 is a contiguous measure of all system extension images for the initrd

String

kms:RecipientAttestation:NitroTPMPCR14

Filters access by the platform configuration register (PCR) 14 in the attestation document in the request. PCR14 is a contiguous measure of "MOK" certificates and hashes

String

kms:RecipientAttestation:NitroTPMPCR15

Filters access by the platform configuration register (PCR) 15 in the attestation document in the request. PCR15 is a contiguous measure of root file system volume encryption key

String

kms:RecipientAttestation:NitroTPMPCR16

Filters access by the platform configuration register (PCR) 16 in the attestation document in the request. PCR16 is a custom PCR that can be defined by the user for specific use cases

String

kms:RecipientAttestation:NitroTPMPCR17

Filters access by the platform configuration register (PCR) 17 in the attestation document in the request. PCR17 is a custom PCR that can be defined by the user for specific use cases

String

kms:RecipientAttestation:NitroTPMPCR18

Filters access by the platform configuration register (PCR) 18 in the attestation document in the request. PCR18 is a custom PCR that can be defined by the user for specific use cases

String

kms:RecipientAttestation:NitroTPMPCR19

Filters access by the platform configuration register (PCR) 19 in the attestation document in the request. PCR19 is a custom PCR that can be defined by the user for specific use cases

String

kms:RecipientAttestation:NitroTPMPCR2

Filters access by the platform configuration register (PCR) 2 in the attestation document in the request. PCR2 is a contiguous measure of extended or pluggable executable code, including option ROMs on pluggable hardware

String

kms:RecipientAttestation:NitroTPMPCR20

Filters access by the platform configuration register (PCR) 20 in the attestation document in the request. PCR20 is a custom PCR that can be defined by the user for specific use cases

String

kms:RecipientAttestation:NitroTPMPCR21

Filters access by the platform configuration register (PCR) 21 in the attestation document in the request. PCR21 is a custom PCR that can be defined by the user for specific use cases

String

kms:RecipientAttestation:NitroTPMPCR22

Filters access by the platform configuration register (PCR) 22 in the attestation document in the request. PCR22 is a custom PCR that can be defined by the user for specific use cases

String

kms:RecipientAttestation:NitroTPMPCR23

Filters access by the platform configuration register (PCR) 23 in the attestation document in the request. PCR23 is a custom PCR that can be defined by the user for specific use cases

String

kms:RecipientAttestation:NitroTPMPCR3

Filters access by the platform configuration register (PCR) 3 in the attestation document in the request. PCR3 is a contiguous measure of extended or pluggable firmware data, including information about pluggable hardware

String

kms:RecipientAttestation:NitroTPMPCR4

Filters access by the platform configuration register (PCR) 4 in the attestation document in the request. PCR4 is a contiguous measure of boot loader and additional drivers, including binaries and extensions loaded by the boot loader

String

kms:RecipientAttestation:NitroTPMPCR5

Filters access by the platform configuration register (PCR) 5 in the attestation document in the request. PCR5 is a contiguous measure of GPT/Partition table

String

kms:RecipientAttestation:NitroTPMPCR6

Filters access by the platform configuration register (PCR) 6 in the attestation document in the request. PCR6 is a custom PCR that can be defined by the user for specific use cases

String

kms:RecipientAttestation:NitroTPMPCR7

Filters access by the platform configuration register (PCR) 7 in the attestation document in the request. PCR7 is a contiguous measure of SecureBoot state

String

kms:RecipientAttestation:NitroTPMPCR8

Filters access by the platform configuration register (PCR) 8 in the attestation document in the request. PCR8 is a contiguous measure of commands and kernel command line

String

kms:RecipientAttestation:NitroTPMPCR9

Filters access by the platform configuration register (PCR) 9 in the attestation document in the request. PCR9 is a contiguous measure of all files read (including kernel image)

String

kms:RecipientAttestation:PCR0

Filters access by the platform configuration register (PCR) 0 in the attestation document in the request. PCR0 is a contiguous measure of the contents of the enclave image file, without the section data

String

kms:RecipientAttestation:PCR1

Filters access by the platform configuration register (PCR) 1 in the attestation document in the request. PCR1 is a contiguous measurement of the Linux kernel and bootstrap data

String

kms:RecipientAttestation:PCR10

Filters access by the platform configuration register (PCR) 10 in the attestation document in the request. PCR10 is a custom PCR that can be defined by the user for specific use cases

String

kms:RecipientAttestation:PCR11

Filters access by the platform configuration register (PCR) 11 in the attestation document in the request. PCR11 is a custom PCR that can be defined by the user for specific use cases

String

kms:RecipientAttestation:PCR12

Filters access by the platform configuration register (PCR) 12 in the attestation document in the request. PCR12 is a custom PCR that can be defined by the user for specific use cases

String

kms:RecipientAttestation:PCR13

Filters access by the platform configuration register (PCR) 13 in the attestation document in the request. PCR13 is a custom PCR that can be defined by the user for specific use cases

String

kms:RecipientAttestation:PCR14

Filters access by the platform configuration register (PCR) 14 in the attestation document in the request. PCR14 is a custom PCR that can be defined by the user for specific use cases

String

kms:RecipientAttestation:PCR15

Filters access by the platform configuration register (PCR) 15 in the attestation document in the request. PCR15 is a custom PCR that can be defined by the user for specific use cases

String

kms:RecipientAttestation:PCR16

Filters access by the platform configuration register (PCR) 16 in the attestation document in the request. PCR16 is a custom PCR that can be defined by the user for specific use cases

String

kms:RecipientAttestation:PCR17

Filters access by the platform configuration register (PCR) 17 in the attestation document in the request. PCR17 is a custom PCR that can be defined by the user for specific use cases

String

kms:RecipientAttestation:PCR18

Filters access by the platform configuration register (PCR) 18 in the attestation document in the request. PCR18 is a custom PCR that can be defined by the user for specific use cases

String

kms:RecipientAttestation:PCR19

Filters access by the platform configuration register (PCR) 19 in the attestation document in the request. PCR19 is a custom PCR that can be defined by the user for specific use cases

String

kms:RecipientAttestation:PCR2

Filters access by the platform configuration register (PCR) 2 in the attestation document in the request. PCR2 is a contiguous, in-order measurement of the user applications, without the boot ramfs

String

kms:RecipientAttestation:PCR20

Filters access by the platform configuration register (PCR) 20 in the attestation document in the request. PCR20 is a custom PCR that can be defined by the user for specific use cases

String

kms:RecipientAttestation:PCR21

Filters access by the platform configuration register (PCR) 21 in the attestation document in the request. PCR21 is a custom PCR that can be defined by the user for specific use cases

String

kms:RecipientAttestation:PCR22

Filters access by the platform configuration register (PCR) 22 in the attestation document in the request. PCR22 is a custom PCR that can be defined by the user for specific use cases

String

kms:RecipientAttestation:PCR23

Filters access by the platform configuration register (PCR) 23 in the attestation document in the request. PCR23 is a custom PCR that can be defined by the user for specific use cases

String

kms:RecipientAttestation:PCR24

Filters access by the platform configuration register (PCR) 24 in the attestation document in the request. PCR24 is a custom PCR that can be defined by the user for specific use cases

String

kms:RecipientAttestation:PCR25

Filters access by the platform configuration register (PCR) 25 in the attestation document in the request. PCR25 is a custom PCR that can be defined by the user for specific use cases

String

kms:RecipientAttestation:PCR26

Filters access by the platform configuration register (PCR) 26 in the attestation document in the request. PCR26 is a custom PCR that can be defined by the user for specific use cases

String

kms:RecipientAttestation:PCR27

Filters access by the platform configuration register (PCR) 27 in the attestation document in the request. PCR27 is a custom PCR that can be defined by the user for specific use cases

String

kms:RecipientAttestation:PCR28

Filters access by the platform configuration register (PCR) 28 in the attestation document in the request. PCR28 is a custom PCR that can be defined by the user for specific use cases

String

kms:RecipientAttestation:PCR29

Filters access by the platform configuration register (PCR) 29 in the attestation document in the request. PCR29 is a custom PCR that can be defined by the user for specific use cases

String

kms:RecipientAttestation:PCR3

Filters access by the platform configuration register (PCR) 3 in the attestation document in the request. PCR3 is a contiguous measurement of the IAM role assigned to the parent instance

String

kms:RecipientAttestation:PCR30

Filters access by the platform configuration register (PCR) 30 in the attestation document in the request. PCR30 is a custom PCR that can be defined by the user for specific use cases

String

kms:RecipientAttestation:PCR31

Filters access by the platform configuration register (PCR) 31 in the attestation document in the request. PCR31 is a custom PCR that can be defined by the user for specific use cases

String

kms:RecipientAttestation:PCR4

Filters access by the platform configuration register (PCR) 4 in the attestation document in the request. PCR4 is a contiguous measurement of the ID of the parent instance

String

kms:RecipientAttestation:PCR5

Filters access by the platform configuration register (PCR) 5 in the attestation document in the request. PCR5 is a custom PCR that can be defined by the user for specific use cases

String

kms:RecipientAttestation:PCR6

Filters access by the platform configuration register (PCR) 6 in the attestation document in the request. PCR6 is a custom PCR that can be defined by the user for specific use cases

String

kms:RecipientAttestation:PCR7

Filters access by the platform configuration register (PCR) 7 in the attestation document in the request. PCR7 is a custom PCR that can be defined by the user for specific use cases

String

kms:RecipientAttestation:PCR8

Filters access by the platform configuration register (PCR) 8 in the attestation document in the request. PCR8 is a measure of the signing certificate specified for the enclave image file

String

kms:RecipientAttestation:PCR9

Filters access by the platform configuration register (PCR) 9 in the attestation document in the request. PCR9 is a custom PCR that can be defined by the user for specific use cases

String

kms:ReplicaRegion

Filters access to the ReplicateKey operation based on the value of the ReplicaRegion parameter in the request

String

kms:RequestAlias

Filters access to cryptographic operations, DescribeKey, and GetPublicKey based on the alias in the request

String

kms:ResourceAliases

Filters access to specified Amazon KMS operations based on aliases associated with the Amazon KMS key

ArrayOfString

kms:RetiringPrincipal

Filters access to the CreateGrant operation based on the retiring principal in the grant

String

kms:RetiringServicePrincipal

Filters access to the CreateGrant operation based on the value of RetiringServicePrincipal in the request

String

kms:RotationPeriodInDays

Filters access to the EnableKeyRotation operation based on the value of the RotationPeriodInDays parameter in the request

Numeric

kms:ScheduleKeyDeletionPendingWindowInDays

Filters access to the ScheduleKeyDeletion operation based on the value of the PendingWindowInDays parameter in the request

Numeric

kms:SigningAlgorithm

Filters access to the Sign and Verify operations based on the signing algorithm in the request

String

kms:TrailingDaysWithoutKeyUsage

Filters access to the ScheduleKeyDeletion and DisableKey operations based on the number of days since the Amazon KMS key was last used

Numeric

kms:ValidTo

Filters access to the ImportKeyMaterial operation based on the value of the ValidTo parameter in the request. You can use this condition key to allow users to import key material only when it expires by the specified date

Date

kms:ViaService

Filters access when a request made on the principal's behalf comes from a specified Amazon service

String

kms:WrappingAlgorithm

Filters access to the GetParametersForImport operation based on the value of the WrappingAlgorithm parameter in the request

String

kms:WrappingKeySpec

Filters access to the GetParametersForImport operation based on the value of the WrappingKeySpec parameter in the request

String