Baseline KMS key and IAM policy statements
Note
Customer managed KMS keys for Amazon IAM Identity Center are currently available in select Amazon Regions.
The baseline KMS key and identity-based policies provided here serve as a foundation for common requirements. We also recommend that you review Advanced KMS key policy statements that provide more granular access controls, such as ensuring the KMS key is accessible only to a specific IAM Identity Center instance or Amazon managed application. Before using advanced KMS key policy statements, review the Considerations for choosing baseline vs. advanced KMS key policy statements.
The following sections provide baseline policy statements for each use case. Copy the KMS key policy statements that match your use cases, then return to Step 2: Prepare KMS key policy statements.
Baseline KMS key policy statements for use of IAM Identity Center (required)
Use the following KMS key policy statement template in Step 2: Prepare KMS key policy statements to allow IAM Identity Center, its associated Identity Store, and IAM Identity Center administrators to use the KMS key.
-
Specify your IAM Identity Center administrators' IAM principals in the Principal element. For more information about IAM principals, see Specifying a principal
in the IAM User Guide. Identity Store has its own service principal,
identitystore.amazonaws.com, which must be allowed to use the KMS key.These policy statements allow any of your IAM Identity Center instances to use the KMS key. To restrict access to a specific IAM Identity Center instance, see Advanced KMS key policy statements.
KMS key policy statements
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowIAMIdentityCenterAdminToUseTheKMSKeyViaIdentityCenter", "Effect": "Allow", "Principal": { "AWS": "${Admin_IAM_principal}" }, "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKeyWithoutPlaintext" ], "Resource": "*", "Condition": { "StringLike": { "kms:EncryptionContext:aws:sso:instance-arn": "*", "kms:ViaService": "sso.*.amazonaws.com" } } }, { "Sid": "AllowIAMIdentityCenterAdminToUseTheKMSKeyViaIdentityStore", "Effect": "Allow", "Principal": { "AWS": "${Admin_IAM_principal}" }, "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKeyWithoutPlaintext" ], "Resource": "*", "Condition": { "StringLike": { "kms:EncryptionContext:aws:identitystore:identitystore-arn": "*", "kms:ViaService": "identitystore.*.amazonaws.com" } } }, { "Sid": "AllowIAMIdentityCenterAdminToDescribeTheKMSKey", "Effect": "Allow", "Principal": { "AWS": "${Admin_IAM_principal}" }, "Action": "kms:DescribeKey", "Resource": "*" }, { "Sid": "AllowIAMIdentityCenterToUseTheKMSKey", "Effect": "Allow", "Principal": { "Service": "sso.amazonaws.com" }, "Action": [ "kms:Decrypt", "kms:ReEncryptTo", "kms:ReEncryptFrom", "kms:GenerateDataKeyWithoutPlaintext" ], "Resource": "*", "Condition": { "StringLike": { "kms:EncryptionContext:aws:sso:instance-arn": "*" } } }, { "Sid": "AllowIAMIdentityStoreToUseTheKMSKey", "Effect": "Allow", "Principal": { "Service": "identitystore.amazonaws.com" }, "Action": [ "kms:Decrypt", "kms:ReEncryptTo", "kms:ReEncryptFrom", "kms:GenerateDataKeyWithoutPlaintext" ], "Resource": "*", "Condition": { "StringLike": { "kms:EncryptionContext:aws:identitystore:identitystore-arn": "*" } } }, { "Sid": "AllowIAMIdentityCenterAndIdentityStoreToDescribeKMSKey", "Effect": "Allow", "Principal": { "Service": [ "identitystore.amazonaws.com", "sso.amazonaws.com" ] }, "Action": "kms:DescribeKey", "Resource": "*" } }
Use the following IAM policy statement template in Step 4: Configure IAM policies for cross-account use of the KMS key to allow IAM Identity Center administrators to use the KMS key.
Replace the example key ARN in the Resource element with your actual KMS key ARN. For help finding the values of the referenced identifiers, see Find the required identifiers.
IAM Policy statements required for delegated administrators of IAM Identity Center
{ "Version": "2012-10-17", , "Statement": [ { "Sid": "IAMPolicyToAllowIAMIdentityCenterAdminToUseKMSkey", "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKeyWithoutPlaintext", "kms:DescribeKey" ], "Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" }, { "Sid": "IAMPolicyToAllowIAMIdentityCenterAdminToListKeyAliases", "Effect": "Allow", "Action": "kms:ListAliases", "Resource": "*" } ] }
Baseline KMS key and IAM policy statements for use of Amazon managed applications
Note
Some Amazon managed applications cannot be used with IAM Identity Center configured with a customer managed KMS key. For more information, see Amazon managed applications that work with IAM Identity Center
Use the following KMS key policy statement template in Step 2: Prepare KMS key policy statements to allow both Amazon managed applications and their administrators to use the KMS key.
Insert your Amazon Organizations ID in the PrincipalOrgID condition. For help finding the values of the referenced identifiers, see Find the required identifiers.
These policy statements allow any of your Amazon managed applications in the same Amazon Organizations to use the KMS key. To restrict these policy statements to specific Amazon managed applications, accounts, or IAM Identity Center instances, see Advanced KMS key policy statements.
KMS key policy statements
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAppAdminsInTheSameOrganizationToUseTheKMSKeyViaIdentityCenter", "Effect": "Allow", "Principal": "*", "Action": "kms:Decrypt", "Resource": "*", "Condition": { "StringEquals": { "aws:PrincipalOrgID": "${organization_ID}" }, "StringLike": { "kms:ViaService": "sso.*.amazonaws.com", "kms:EncryptionContext:aws:sso:instance-arn": "*" } } }, { "Sid": "AllowAppAdminsInTheSameOrganizationToUseTheKMSKeyViaIdentityStore", "Effect": "Allow", "Principal": "*", "Action": "kms:Decrypt", "Resource": "*", "Condition": { "StringEquals": { "aws:PrincipalOrgID": "${organization_ID}" }, "StringLike": { "kms:ViaService": "identitystore.*.amazonaws.com", "kms:EncryptionContext:aws:identitystore:identitystore-arn": "*" } } }, { "Sid": "AllowManagedAppsToUseTheKMSKeyViaIdentityCenter", "Effect": "Allow", "Principal": "*", "Action": "kms:Decrypt", "Resource": "*", "Condition": { "StringLike": { "kms:ViaService": "sso.*.amazonaws.com", "kms:EncryptionContext:aws:sso:instance-arn": "*" }, "Bool": { "aws:PrincipalIsAWSService": "true" } } }, { "Sid": "AllowManagedAppsToUseTheKMSKeyViaIdentityStore", "Effect": "Allow", "Principal": "*", "Action": "kms:Decrypt", "Resource": "*", "Condition": { "StringLike": { "kms:ViaService": "identitystore.*.amazonaws.com", "kms:EncryptionContext:aws:identitystore:identitystore-arn": "*" }, "Bool": { "aws:PrincipalIsAWSService": "true" } } } ] }
Use the following IAM policy statement template in Step 4: Configure IAM policies for cross-account use of the KMS key to allow administrators of Amazon managed applications to use the KMS key from a member account.
Replace the example ARN in the Resource element with your actual KMS key ARN. For help finding the values of the referenced identifiers, see Find the required identifiers.
Some Amazon managed applications require you to configure permissions for IAM Identity Center and Identity Store APIs. Before you configure a customer managed key in your IAM Identity Center, ensure that these permissions also allow use of the KMS key. For specific KMS key permission requirements, see the documentation for each Amazon managed application you've deployed.
IAM policy statements required for administrators of Amazon managed applications:
{ "Version": "2012-10-17", , "Statement": [ { "Sid": "AllowIAMIdentityCenterAdminToUseTheKMSKeyViaIdentityCenterAndIdentityStore", "Effect": "Allow", "Action": "kms:Decrypt", "Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "Condition": { "StringLike": { "kms:ViaService": [ "sso.*.amazonaws.com", "identitystore.*.amazonaws.com" ] } } } ] }
Baseline KMS key statement for use of Amazon Control Tower
Use the following KMS key statement templates in Step 2: Prepare KMS key policy statements to allow Amazon Control Tower administrators to use the KMS key.
Specify the IAM principals used for access to the APIs of IAM Identity Center in the Principal field. For more information about IAM principals, see Specifying a principal
in the IAM User Guide. These policy statements allow Amazon Control Tower administrators to use the KMS key through any of your IAM Identity Center instances. However, Amazon Control Tower restricts access to the organization instance of IAM Identity Center in the same Amazon organization. Because of this restriction, there is no practical benefit to further restricting the KMS key to a specific IAM Identity Center instance as described in Advanced KMS key policy statements.
KMS key policy statement:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowControlTowerAdminRoleToUseTheKMSKeyViaIdentityCenter", "Effect": "Allow", "Principal": { "AWS": "${Control_Tower_Admins}" }, "Action": "kms:Decrypt", "Resource": "*", "Condition": { "StringLike": { "kms:EncryptionContext:aws:sso:instance-arn": "*", "kms:ViaService": "sso.*.amazonaws.com" } } }, { "Sid": "AllowControlTowerAdminRoleToUseTheKMSKeyViaIdentityStore", "Effect": "Allow", "Principal": { "AWS": "${Control_Tower_Admins}" }, "Action": "kms:Decrypt", "Resource": "*", "Condition": { "StringLike": { "kms:ViaService": "identitystore.*.amazonaws.com", "kms:EncryptionContext:aws:identitystore:identitystore-arn": "*" } } } ] }
Amazon Control Tower does not support delegated administration and, therefore, you don't need to configure an IAM policy for its administrators.
Baseline KMS key and IAM policy statements for use of IAM Identity Center to Amazon Elastic Compute Cloud Windows instances
Use the following KMS key policy statement template in Step 2: Prepare KMS key policy statements to allow users of single sign-on (SSO) to Amazon EC2 Windows instances to use the KMS key across accounts.
Specify the IAM principals used for access to IAM Identity Center in the Principal field. For more information about IAM principals, see Specifying a principal
in the IAM User Guide. This policy statement allows any of your IAM Identity Center instances to use the KMS key. To restrict access to a specific IAM Identity Center instance, see Policy templates.
KMS key policy statement
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowIAMIdentityCenterPermisionSetRoleToUseTheKMSKeyViaIdentityCenter", "Effect": "Allow", "Principal": { "AWS": "${Permission_Set_IAM_Role}" }, "Action": "kms:Decrypt", "Resource": "*", "Condition": { "StringLike": { "kms:EncryptionContext:aws:sso:instance-arn": "*", "kms:ViaService": "sso.*.amazonaws.com" } } }, { "Sid": "AllowIAMIdentityCenterPermisionSetRoleToUseTheKMSKeyViaIdentityStore", "Effect": "Allow", "Principal": { "AWS": "${Permission_Set_IAM_Role}" }, "Action": "kms:Decrypt", "Resource": "*", "Condition": { "StringLike": { "kms:ViaService": "identitystore.*.amazonaws.com", "kms:EncryptionContext:aws:identitystore:identitystore-arn": "*" } } } ] }
Use the following IAM policy statement template in Step 4: Configure IAM policies for cross-account use of the KMS key to allow SSO to EC2 Windows instances to use the KMS key.
Attach the IAM policy statement to the existing permission set in IAM Identity Center that you are using to allow SSO access to Amazon EC2 Windows instances. For IAM policy examples, see Remote Desktop Protocol connections
Replace the example ARN in the Resource element with your actual KMS key ARN. For help finding the values of the referenced identifiers, see Find the required identifiers.
Permission set IAM policy:
{ "Version": "2012-10-17", , "Statement": [ { "Sid": "IAMPolicyToAllowKMSKeyUseViaIdentityCenterAndIdentityStore", "Effect": "Allow", "Action": "kms:Decrypt", "Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "Condition": { "StringLike": { "kms:ViaService": [ "sso.*.amazonaws.com", "identitystore.*.amazonaws.com" ] } } } ] }
Baseline KMS key and IAM policy statements for use of custom workflows with IAM Identity Center
Use the following KMS key policy statement templates in Step 2: Prepare KMS key policy statements to allow custom workflows in the Amazon Organizations management account or delegated administration account to use the KMS key.
Specify the IAM principals used to access IAM Identity Center APIs in the Principal element. For more information about IAM principals, see Specifying a principal
in the IAM User Guide. These policy statements allow your workflow to use the KMS key through any of your IAM Identity Center instances. To restrict access to a specific IAM Identity Center instance, see Policy templates.
KMS key policy statement:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowCustomWorkflowToUseTheKMSKeyViaIdentityCenter", "Effect": "Allow", "Principal": { "AWS": "${Workflow_IAM_principal}" }, "Action": "kms:Decrypt", "Resource": "*", "Condition": { "StringLike": { "kms:EncryptionContext:aws:sso:instance-arn": "*", "kms:ViaService": "sso.*.amazonaws.com" } } }, { "Sid": "AllowCustomWorkflowToUseTheKMSKeyViaIdentityStore", "Effect": "Allow", "Principal": { "AWS": "${Workflow_IAM_principal}" }, "Action": "kms:Decrypt", "Resource": "*", "Condition": { "StringLike": { "kms:ViaService": "identitystore.*.amazonaws.com", "kms:EncryptionContext:aws:identitystore:identitystore-arn": "*" } } } ] }
Use the following IAM policy statement template in Step 4: Configure IAM policies for cross-account use of the KMS key to allow the IAM principal associated with the custom workflow to use the KMS key across accounts. Add the IAM policy statement to the IAM principal.
Replace the example ARN in the Resource element with your actual KMS key ARN. For help finding the values of the referenced identifiers, see Find the required identifiers.
IAM policy statement (required only for cross-account use):
{ "Version": "2012-10-17", , "Statement": [ { "Sid": "AllowIAMIdentityCenterAdminToUseTheKMSKeyViaIdentityCenterAndIdentityStore", "Effect": "Allow", "Action": "kms:Decrypt", "Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "Condition": { "StringLike": { "kms:ViaService": [ "sso.*.amazonaws.com", "identitystore.*.amazonaws.com" ] } } } ] }