本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# Amazon KMS 权限
此表旨在帮助您了解 Amazon KMS 权限,以便您可以控制对 Amazon KMS 资源的访问权限。表格下方会显示列标题的定义。
您还可以在*服务授权参考 Amazon Key Management Service*主题的[操作、资源和条件键](https://docs.amazonaws.cn/service-authorization/latest/reference/list_awskeymanagementservice.html)中了解 Amazon KMS 权限。但是,该主题并未列出可用于优化每个权限的所有条件键。
有关哪些 Amazon KMS 操作对对称加密 KMS 密钥、非对称 KMS 密钥和 HMAC KMS 密钥有效的更多信息,请参阅。[密钥类型引用](symm-asymm-compare.md)
**注意**
您可能需要水平或垂直滚动才能查看表中的所有数据。
- ** [CancelKeyDeletion](https://docs.amazonaws.cn/kms/latest/APIReference/API_CancelKeyDeletion.html) `kms:CancelKeyDeletion` **
- **策略类型:** 密钥策略
- **跨账户使用:** 否
- **资源(适用于 IAM policy):** KMS 密钥
- **Amazon KMS 条件键:** *KMS 密钥操作的条件:*
[kms: CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms: KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms: KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms: KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms: MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms: MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms: ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
a@@ [ws:ResourceTag/*tag-key(Amazon 全局条件密钥*](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag))
[kms: ViaService](conditions-kms.md#conditions-kms-via-service)
- **[ConnectCustomKeyStore](https://docs.amazonaws.cn/kms/latest/APIReference/API_ConnectCustomKeyStore.html) `kms:ConnectCustomKeyStore`**
- **策略类型:** IAM 策略
- **跨账户使用:** 否
- **资源(适用于 IAM policy):** `*`
- **Amazon KMS 条件键:** [kms: CallerAccount](conditions-kms.md#conditions-kms-caller-account)
- ** [CreateAlias](https://docs.amazonaws.cn/kms/latest/APIReference/API_CreateAlias.html) `kms:CreateAlias` 要使用此操作,调用方需要对以下两个资源具有 `kms:CreateAlias` 权限: [See the AWS documentation website for more details](http://docs.amazonaws.cn/kms/latest/developerguide/kms-api-permissions-reference.html) 有关更多信息,请参阅 [控制对别名的访问](alias-access.md)。 **
- **策略类型:** IAM policy(适用于别名) / **跨账户使用:** 否 / **资源(适用于 IAM policy):** Alias / **Amazon KMS 条件键:** 无(控制对别名的访问时)
- **策略类型:** 密钥策略(适用于 KMS 密钥) / **跨账户使用:** 否 / **资源(适用于 IAM policy):** KMS 密钥 / **Amazon KMS 条件键:** *KMS 密钥操作的条件:*
[kms: CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms: KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms: KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms: KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms: MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms: MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms: ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
a@@ [ws:ResourceTag/*tag-key(Amazon 全局条件密钥*](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag))
[kms: ViaService](conditions-kms.md#conditions-kms-via-service)
- **[CreateCustomKeyStore](https://docs.amazonaws.cn/kms/latest/APIReference/API_CreateCustomKeyStore.html)`kms:CreateCustomKeyStore`**
- **策略类型:** IAM 策略
- **跨账户使用:** 否
- **资源(适用于 IAM policy):** `*`
- **Amazon KMS 条件键:** [kms: CallerAccount](conditions-kms.md#conditions-kms-caller-account)
- ** [CreateGrant](https://docs.amazonaws.cn/kms/latest/APIReference/API_CreateGrant.html) `kms:CreateGrant` **
- **策略类型:** 密钥策略
- **跨账户使用:** 是
- **资源(适用于 IAM policy):** KMS 密钥
- **Amazon KMS 条件键:** *加密上下文条件:*
[kms:EncryptionContext: *上下文*密钥](conditions-kms.md#conditions-kms-encryption-context-keys)
[kms: EncryptionContextKeys](conditions-kms.md#conditions-kms-encryption-context-keys)
*授予条件:*
[kms: GrantConstraintType](conditions-kms.md#conditions-kms-grant-constraint-type)
[kms: GranteePrincipal](conditions-kms.md#conditions-kms-grantee-principal)
[kms: GrantIsFor AWSResource](conditions-kms.md#conditions-kms-grant-is-for-aws-resource)
[kms: GrantOperations](conditions-kms.md#conditions-kms-grant-operations)
[kms: RetiringPrincipal](conditions-kms.md#conditions-kms-retiring-principal)
*KMS 密钥操作的条件:*
[kms: CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms: KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms: KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms: KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms: MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms: MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms: ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
a@@ [ws:ResourceTag/*tag-key(Amazon 全局条件密钥*](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag))
[kms: ViaService](conditions-kms.md#conditions-kms-via-service)
- ** [CreateKey](https://docs.amazonaws.cn/kms/latest/APIReference/API_CreateKey.html) `kms:CreateKey` **
- **策略类型:** IAM 策略
- **跨账户使用:** 否
- **资源(适用于 IAM policy):** `*`
- **Amazon KMS 条件键:** [kms: BypassPolicyLockoutSafetyCheck](conditions-kms.md#conditions-kms-bypass-policy-lockout-safety-check)
[kms: CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms: KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms: KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms: KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms: MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms: MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms: ViaService](conditions-kms.md#conditions-kms-via-service)
a@@ [ws:RequestTag/*tag-key(Amazon 全局条件密钥*](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag))
a@@ [ws:ResourceTag/*tag-key(Amazon 全局条件密钥*](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag))
a@@ [ws: TagKeys](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)(Amazon 全局条件密钥)
- ** [Decrypt](https://docs.amazonaws.cn/kms/latest/APIReference/API_Decrypt.html) `kms:Decrypt` **
- **策略类型:** 密钥策略
- **跨账户使用:** 是
- **资源(适用于 IAM policy):** KMS 密钥
- **Amazon KMS 条件键:** *加密操作的条件*
[kms: EncryptionAlgorithm](conditions-kms.md#conditions-kms-encryption-algorithm)
[kms: RequestAlias](conditions-kms.md#conditions-kms-request-alias)
*加密上下文条件:*
[kms:EncryptionContext: *上下文*密钥](conditions-kms.md#conditions-kms-encryption-context-keys)
[kms: EncryptionContextKeys](conditions-kms.md#conditions-kms-encryption-context-keys)
*KMS 密钥操作的条件:*
[kms: CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms: KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms: KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms: KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms: MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms: MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms: ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
a@@ [ws:ResourceTag/*tag-key(Amazon 全局条件密钥*](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag))
[kms: ViaService](conditions-kms.md#conditions-kms-via-service)
- ** [DeleteAlias](https://docs.amazonaws.cn/kms/latest/APIReference/API_DeleteAlias.html) `kms:DeleteAlias` 要使用此操作,调用方需要对以下两个资源具有 `kms:DeleteAlias` 权限: [See the AWS documentation website for more details](http://docs.amazonaws.cn/kms/latest/developerguide/kms-api-permissions-reference.html) 有关更多信息,请参阅 [控制对别名的访问](alias-access.md)。 **
- **策略类型:** IAM policy(适用于别名) / **跨账户使用:** 否 / **资源(适用于 IAM policy):** Alias / **Amazon KMS 条件键:** 无(控制对别名的访问时)
- **策略类型:** 密钥策略(适用于 KMS 密钥) / **跨账户使用:** 否 / **资源(适用于 IAM policy):** KMS 密钥 / **Amazon KMS 条件键:** *KMS 密钥操作的条件:*
[kms: CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms: KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms: KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms: KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms: MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms: MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms: ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
a@@ [ws:ResourceTag/*tag-key(Amazon 全局条件密钥*](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag))
[kms: ViaService](conditions-kms.md#conditions-kms-via-service)
- **[DeleteCustomKeyStore](https://docs.amazonaws.cn/kms/latest/APIReference/API_DeleteCustomKeyStore.html)`kms:DeleteCustomKeyStore`**
- **策略类型:** IAM 策略
- **跨账户使用:** 否
- **资源(适用于 IAM policy):** `*`
- **Amazon KMS 条件键:** [kms: CallerAccount](conditions-kms.md#conditions-kms-caller-account)
- ** [DeleteImportedKeyMaterial](https://docs.amazonaws.cn/kms/latest/APIReference/API_DeleteImportedKeyMaterial.html) `kms:DeleteImportedKeyMaterial` **
- **策略类型:** 密钥策略
- **跨账户使用:** 否
- **资源(适用于 IAM policy):** KMS 密钥
- **Amazon KMS 条件键:** *KMS 密钥操作的条件:*
[kms: CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms: KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms: KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms: KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms: MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms: MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms: ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
a@@ [ws:ResourceTag/*tag-key(Amazon 全局条件密钥*](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag))
[kms: ViaService](conditions-kms.md#conditions-kms-via-service)
- **[DeriveSharedSecret](https://docs.amazonaws.cn/kms/latest/APIReference/API_DeriveSharedSecret.html)`kms:DeriveSharedSecret`**
- **策略类型:** 密钥策略
- **跨账户使用:** 是
- **资源(适用于 IAM policy):** KMS 密钥
- **Amazon KMS 条件键:** *KMS 密钥操作的条件:*
[kms: CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms: KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms: KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms: KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms: MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms: MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms: ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
a@@ [ws:ResourceTag/*tag-key(Amazon 全局条件密钥*](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag))
[kms: ViaService](conditions-kms.md#conditions-kms-via-service)加密操作的条件:
[kms: KeyAgreementAlgorithm](conditions-kms.md#conditions-kms-key-agreement-algorithm)
- **[DescribeCustomKeyStores](https://docs.amazonaws.cn/kms/latest/APIReference/API_DescribeCustomKeyStores.html)`kms:DescribeCustomKeyStores`**
- **策略类型:** IAM 策略
- **跨账户使用:** 否
- **资源(适用于 IAM policy):** `*`
- **Amazon KMS 条件键:** [kms: CallerAccount](conditions-kms.md#conditions-kms-caller-account)
- ** [DescribeKey](https://docs.amazonaws.cn/kms/latest/APIReference/API_DescribeKey.html) `kms:DescribeKey` **
- **策略类型:** 密钥策略
- **跨账户使用:** 是
- **资源(适用于 IAM policy):** KMS 密钥
- **Amazon KMS 条件键:** *KMS 密钥操作的条件:*
[kms: CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms: KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms: KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms: KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms: MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms: MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms: ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
a@@ [ws:ResourceTag/*tag-key(Amazon 全局条件密钥*](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag))
[kms: ViaService](conditions-kms.md#conditions-kms-via-service)
*其他条件:*
[kms: RequestAlias](conditions-kms.md#conditions-kms-request-alias)
- ** [DisableKey](https://docs.amazonaws.cn/kms/latest/APIReference/API_DisableKey.html) `kms:DisableKey` **
- **策略类型:** 密钥策略
- **跨账户使用:** 否
- **资源(适用于 IAM policy):** KMS 密钥
- **Amazon KMS 条件键:** *KMS 密钥操作的条件:*
[kms: CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms: KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms: KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms: KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms: MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms: MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms: ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
a@@ [ws:ResourceTag/*tag-key(Amazon 全局条件密钥*](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag))
[kms: ViaService](conditions-kms.md#conditions-kms-via-service)
- ** [DisableKeyRotation](https://docs.amazonaws.cn/kms/latest/APIReference/API_DisableKeyRotation.html) `kms:DisableKeyRotation` **
- **策略类型:** 密钥策略
- **跨账户使用:** 否
- **资源(适用于 IAM policy):** KMS 密钥
- **Amazon KMS 条件键:** *KMS 密钥操作的条件:*
[kms: CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms: KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms: KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms: KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms: MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms: MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms: ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
a@@ [ws:ResourceTag/*tag-key(Amazon 全局条件密钥*](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag))
[kms: ViaService](conditions-kms.md#conditions-kms-via-service)
- **[DisconnectCustomKeyStore](https://docs.amazonaws.cn/kms/latest/APIReference/API_DisconnectCustomKeyStore.html)`kms:DisconnectCustomKeyStore`**
- **策略类型:** IAM 策略
- **跨账户使用:** 否
- **资源(适用于 IAM policy):** `*`
- **Amazon KMS 条件键:** [kms: CallerAccount](conditions-kms.md#conditions-kms-caller-account)
- ** [EnableKey](https://docs.amazonaws.cn/kms/latest/APIReference/API_EnableKey.html) `kms:EnableKey` **
- **策略类型:** 密钥策略
- **跨账户使用:** 否
- **资源(适用于 IAM policy):** KMS 密钥
- **Amazon KMS 条件键:** *KMS 密钥操作的条件:*
[kms: CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms: KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms: KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms: KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms: MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms: MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms: ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
a@@ [ws:ResourceTag/*tag-key(Amazon 全局条件密钥*](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag))
[kms: ViaService](conditions-kms.md#conditions-kms-via-service)
- ** [EnableKeyRotation](https://docs.amazonaws.cn/kms/latest/APIReference/API_EnableKeyRotation.html) `kms:EnableKeyRotation` **
- **策略类型:** 密钥策略
- **跨账户使用:** 否
- **资源(适用于 IAM policy):** KMS 密钥
- **Amazon KMS 条件键:** *KMS 密钥操作的条件:*
[kms: CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms: KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms: KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms: KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms: MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms: MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms: ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
a@@ [ws:ResourceTag/*tag-key(Amazon 全局条件密钥*](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag))
[kms: ViaService](conditions-kms.md#conditions-kms-via-service)
*自动密钥轮换条件:*
[kms: RotationPeriodInDays](conditions-kms.md#conditions-kms-rotation-period-in-days)
- ** [Encrypt](https://docs.amazonaws.cn/kms/latest/APIReference/API_Encrypt.html) `kms:Encrypt` **
- **策略类型:** 密钥策略
- **跨账户使用:** 是
- **资源(适用于 IAM policy):** KMS 密钥
- **Amazon KMS 条件键:** *加密操作的条件*
[kms: EncryptionAlgorithm](conditions-kms.md#conditions-kms-encryption-algorithm)
[kms: RequestAlias](conditions-kms.md#conditions-kms-request-alias)
*加密上下文条件:*
[kms:EncryptionContext: *上下文*密钥](conditions-kms.md#conditions-kms-encryption-context-keys)
[kms: EncryptionContextKeys](conditions-kms.md#conditions-kms-encryption-context-keys)
*KMS 密钥操作的条件:*
[kms: CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms: KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms: KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms: KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms: MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms: MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms: ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
a@@ [ws:ResourceTag/*tag-key(Amazon 全局条件密钥*](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag))
[kms: ViaService](conditions-kms.md#conditions-kms-via-service)
- ** [GenerateDataKey](https://docs.amazonaws.cn/kms/latest/APIReference/API_GenerateDataKey.html) `kms:GenerateDataKey` **
- **策略类型:** 密钥策略
- **跨账户使用:** 是
- **资源(适用于 IAM policy):** KMS 密钥
- **Amazon KMS 条件键:** *加密操作的条件*
[kms: EncryptionAlgorithm](conditions-kms.md#conditions-kms-encryption-algorithm)
[kms: RequestAlias](conditions-kms.md#conditions-kms-request-alias)
*加密上下文条件:*
[kms:EncryptionContext: *上下文*密钥](conditions-kms.md#conditions-kms-encryption-context-keys)
[kms: EncryptionContextKeys](conditions-kms.md#conditions-kms-encryption-context-keys)
*KMS 密钥操作的条件:*
[kms: CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms: KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms: KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms: KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms: MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms: MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms: ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
a@@ [ws:ResourceTag/*tag-key(Amazon 全局条件密钥*](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag))
[kms: ViaService](conditions-kms.md#conditions-kms-via-service)
- ** [GenerateDataKeyPair](https://docs.amazonaws.cn/kms/latest/APIReference/API_GenerateDataKeyPair.html) `kms:GenerateDataKeyPair` **
- **策略类型:** 密钥策略
- **跨账户使用:** 是
- **资源(适用于 IAM policy):** KMS 密钥
生成受对称加密 KMS 密钥保护的非对称数据密钥对。
- **Amazon KMS 条件键:** *数据密钥对的条件:*
[kms: DataKeyPairSpec](conditions-kms.md#conditions-kms-data-key-spec)
*加密操作的条件*
[kms: EncryptionAlgorithm](conditions-kms.md#conditions-kms-encryption-algorithm)
[kms: RequestAlias](conditions-kms.md#conditions-kms-request-alias)
*加密上下文条件:*
[kms:EncryptionContext: *上下文*密钥](conditions-kms.md#conditions-kms-encryption-context-keys)
[kms: EncryptionContextKeys](conditions-kms.md#conditions-kms-encryption-context-keys)
*KMS 密钥操作的条件:*
[kms: CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms: KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms: KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms: KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms: MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms: MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms: ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
a@@ [ws:ResourceTag/*tag-key(Amazon 全局条件密钥*](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag))
[kms: ViaService](conditions-kms.md#conditions-kms-via-service)
- ** [GenerateDataKeyPairWithoutPlaintext](https://docs.amazonaws.cn/kms/latest/APIReference/API_GenerateDataKeyPairWithoutPlaintext.html) `kms:GenerateDataKeyPairWithoutPlaintext` **
- **策略类型:** 密钥策略
- **跨账户使用:** 是
- **资源(适用于 IAM policy):** KMS 密钥
生成受对称加密 KMS 密钥保护的非对称数据密钥对。
- **Amazon KMS 条件键:** *数据密钥对的条件:*
[kms: DataKeyPairSpec](conditions-kms.md#conditions-kms-data-key-spec)
*加密操作的条件*
[kms: EncryptionAlgorithm](conditions-kms.md#conditions-kms-encryption-algorithm)
[kms: RequestAlias](conditions-kms.md#conditions-kms-request-alias)
*加密上下文条件:*
[kms:EncryptionContext: *上下文*密钥](conditions-kms.md#conditions-kms-encryption-context-keys)
[kms: EncryptionContextKeys](conditions-kms.md#conditions-kms-encryption-context-keys)
*KMS 密钥操作的条件:*
[kms: CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms: KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms: KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms: KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms: MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms: MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms: ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
a@@ [ws:ResourceTag/*tag-key(Amazon 全局条件密钥*](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag))
[kms: ViaService](conditions-kms.md#conditions-kms-via-service)
- ** [GenerateDataKeyWithoutPlaintext](https://docs.amazonaws.cn/kms/latest/APIReference/API_GenerateDataKeyWithoutPlaintext.html) `kms:GenerateDataKeyWithoutPlaintext` **
- **策略类型:** 密钥策略
- **跨账户使用:** 是
- **资源(适用于 IAM policy):** KMS 密钥
- **Amazon KMS 条件键:** *加密操作的条件*
[kms: EncryptionAlgorithm](conditions-kms.md#conditions-kms-encryption-algorithm)
[kms: RequestAlias](conditions-kms.md#conditions-kms-request-alias)
*加密上下文条件:*
[kms:EncryptionContext: *上下文*密钥](conditions-kms.md#conditions-kms-encryption-context-keys)
[kms: EncryptionContextKeys](conditions-kms.md#conditions-kms-encryption-context-keys)
*KMS 密钥操作的条件:*
[kms: CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms: KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms: KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms: KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms: MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms: MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms: ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
a@@ [ws:ResourceTag/*tag-key(Amazon 全局条件密钥*](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag))
[kms: ViaService](conditions-kms.md#conditions-kms-via-service)
- **[GenerateMac](https://docs.amazonaws.cn/kms/latest/APIReference/API_GenerateMac.html)`kms:GenerateMac`**
- **策略类型:** 密钥策略
- **跨账户使用:** 是
- **资源(适用于 IAM policy):** KMS 密钥
- **Amazon KMS 条件键:** *KMS 密钥操作的条件:*
[kms: CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms: KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms: KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms: KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms: MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms: MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms: ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
a@@ [ws:ResourceTag/*tag-key(Amazon 全局条件密钥*](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag))
[kms: ViaService](conditions-kms.md#conditions-kms-via-service)加密操作的条件:
[kms: MacAlgorithm](conditions-kms.md#conditions-kms-mac-algorithm)
[kms: RequestAlias](conditions-kms.md#conditions-kms-request-alias)
- ** [GenerateRandom](https://docs.amazonaws.cn/kms/latest/APIReference/API_GenerateRandom.html) `kms:GenerateRandom` **
- **策略类型:** IAM 策略
- **跨账户使用:** 不适用
- **资源(适用于 IAM policy):** `*`
- **Amazon KMS 条件键:** 无
- ** [GetKeyPolicy](https://docs.amazonaws.cn/kms/latest/APIReference/API_GetKeyPolicy.html) `kms:GetKeyPolicy` **
- **策略类型:** 密钥策略
- **跨账户使用:** 否
- **资源(适用于 IAM policy):** KMS 密钥
- **Amazon KMS 条件键:** *KMS 密钥操作的条件:*
[kms: CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms: KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms: KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms: KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms: MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms: MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms: ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
a@@ [ws:ResourceTag/*tag-key(Amazon 全局条件密钥*](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag))
[kms: ViaService](conditions-kms.md#conditions-kms-via-service)
- ** [GetKeyRotationStatus](https://docs.amazonaws.cn/kms/latest/APIReference/API_GetKeyRotationStatus.html) `kms:GetKeyRotationStatus` **
- **策略类型:** 密钥策略
- **跨账户使用:** 是
- **资源(适用于 IAM policy):** KMS 密钥
- **Amazon KMS 条件键:** *KMS 密钥操作的条件:*
[kms: CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms: KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms: KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms: KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms: MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms: MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms: ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
a@@ [ws:ResourceTag/*tag-key(Amazon 全局条件密钥*](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag))
[kms: ViaService](conditions-kms.md#conditions-kms-via-service)
- ** [GetParametersForImport](https://docs.amazonaws.cn/kms/latest/APIReference/API_GetParametersForImport.html) `kms:GetParametersForImport` **
- **策略类型:** 密钥策略
- **跨账户使用:** 否
- **资源(适用于 IAM policy):** KMS 密钥
- **Amazon KMS 条件键:** [kms: WrappingAlgorithm](conditions-kms.md#conditions-kms-wrapping-algorithm)
[kms: WrappingKeySpec](conditions-kms.md#conditions-kms-wrapping-key-spec)
*KMS 密钥操作的条件:*
[kms: CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms: KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms: KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms: KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms: MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms: MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms: ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
a@@ [ws:ResourceTag/*tag-key(Amazon 全局条件密钥*](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag))
[kms: ViaService](conditions-kms.md#conditions-kms-via-service)
- ** [GetPublicKey](https://docs.amazonaws.cn/kms/latest/APIReference/API_GetPublicKey.html) `kms:GetPublicKey` **
- **策略类型:** 密钥策略
- **跨账户使用:** 是
- **资源(适用于 IAM policy):** KMS 密钥
- **Amazon KMS 条件键:** *KMS 密钥操作的条件:*
[kms: CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms: KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms: KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms: KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms: MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms: MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms: ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
a@@ [ws:ResourceTag/*tag-key(Amazon 全局条件密钥*](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag))
[kms: ViaService](conditions-kms.md#conditions-kms-via-service)
*其他条件:*
[kms: RequestAlias](conditions-kms.md#conditions-kms-request-alias)
- ** [ImportKeyMaterial](https://docs.amazonaws.cn/kms/latest/APIReference/API_ImportKeyMaterial.html) `kms:ImportKeyMaterial` **
- **策略类型:** 密钥策略
- **跨账户使用:** 否
- **资源(适用于 IAM policy):** KMS 密钥
- **Amazon KMS 条件键:** *KMS 密钥操作的条件:*
[kms: CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms: KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms: KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms: KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms: MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms: MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms: ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
a@@ [ws:ResourceTag/*tag-key(Amazon 全局条件密钥*](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag))
[kms: ViaService](conditions-kms.md#conditions-kms-via-service)
*其他条件:*[kms: ExpirationModel](conditions-kms.md#conditions-kms-expiration-model)
[kms: ValidTo](conditions-kms.md#conditions-kms-valid-to)
- ** [ListAliases](https://docs.amazonaws.cn/kms/latest/APIReference/API_ListAliases.html) `kms:ListAliases` **
- **策略类型:** IAM 策略
- **跨账户使用:** 否
- **资源(适用于 IAM policy):** `*`
- **Amazon KMS 条件键:** 无
- ** [ListGrants](https://docs.amazonaws.cn/kms/latest/APIReference/API_ListGrants.html) `kms:ListGrants` **
- **策略类型:** 密钥策略
- **跨账户使用:** 是
- **资源(适用于 IAM policy):** KMS 密钥
- **Amazon KMS 条件键:** *KMS 密钥操作的条件:*
[kms: CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms: KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms: KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms: KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms: MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms: MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms: ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
a@@ [ws:ResourceTag/*tag-key(Amazon 全局条件密钥*](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag))
[kms: ViaService](conditions-kms.md#conditions-kms-via-service)
*其他条件:*
[kms: GrantIsFor AWSResource](conditions-kms.md#conditions-kms-grant-is-for-aws-resource)
- ** [ListKeyPolicies](https://docs.amazonaws.cn/kms/latest/APIReference/API_ListKeyPolicies.html) `kms:ListKeyPolicies` **
- **策略类型:** 密钥策略
- **跨账户使用:** 否
- **资源(适用于 IAM policy):** KMS 密钥
- **Amazon KMS 条件键:** *KMS 密钥操作的条件:*
[kms: CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms: KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms: KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms: KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms: MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms: MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms: ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
a@@ [ws:ResourceTag/*tag-key(Amazon 全局条件密钥*](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag))
[kms: ViaService](conditions-kms.md#conditions-kms-via-service)
- ** [ListKeyRotations](https://docs.amazonaws.cn/kms/latest/APIReference/API_ListKeyRotations.html) `kms:ListKeyRotations` **
- **策略类型:** 密钥策略
- **跨账户使用:** 否
- **资源(适用于 IAM policy):** KMS 密钥
- **Amazon KMS 条件键:** *KMS 密钥操作的条件:*
[kms: CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms: KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms: KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms: KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms: MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms: MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms: ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
a@@ [ws:ResourceTag/*tag-key(Amazon 全局条件密钥*](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag))
[kms: ViaService](conditions-kms.md#conditions-kms-via-service)
- ** [ListKeys](https://docs.amazonaws.cn/kms/latest/APIReference/API_ListKeys.html) `kms:ListKeys` **
- **策略类型:** IAM 策略
- **跨账户使用:** 否
- **资源(适用于 IAM policy):** `*`
- **Amazon KMS 条件键:** 无
- ** [ListResourceTags](https://docs.amazonaws.cn/kms/latest/APIReference/API_ListResourceTags.html) `kms:ListResourceTags` **
- **策略类型:** 密钥策略
- **跨账户使用:** 否
- **资源(适用于 IAM policy):** KMS 密钥
- **Amazon KMS 条件键:** *KMS 密钥操作的条件:*
[kms: CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms: KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms: KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms: KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms: MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms: MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms: ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
a@@ [ws:ResourceTag/*tag-key(Amazon 全局条件密钥*](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag))
[kms: ViaService](conditions-kms.md#conditions-kms-via-service)
- ** [ListRetirableGrants](https://docs.amazonaws.cn/kms/latest/APIReference/API_ListRetirableGrants.html) `kms:ListRetirableGrants` **
- **策略类型:** IAM 策略
- **跨账户使用:** 指定的委托人必须位于本地账户中,但操作将返回所有账户中的授权。
- **资源(适用于 IAM policy):** `*`
- **Amazon KMS 条件键:** 无
- ** [PutKeyPolicy](https://docs.amazonaws.cn/kms/latest/APIReference/API_PutKeyPolicy.html) `kms:PutKeyPolicy` **
- **策略类型:** 密钥策略
- **跨账户使用:** 否
- **资源(适用于 IAM policy):** KMS 密钥
- **Amazon KMS 条件键:** *KMS 密钥操作的条件:*
[kms: CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms: KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms: KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms: KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms: MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms: MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms: ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
a@@ [ws:ResourceTag/*tag-key(Amazon 全局条件密钥*](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag))
[kms: ViaService](conditions-kms.md#conditions-kms-via-service)
*其他条件:*
[kms: BypassPolicyLockoutSafetyCheck](conditions-kms.md#conditions-kms-bypass-policy-lockout-safety-check)
- ** [ReEncrypt](https://docs.amazonaws.cn/kms/latest/APIReference/API_ReEncrypt.html) `kms:ReEncryptFrom` `kms:ReEncryptTo` 要使用此操作,调用方需要对以下两个 KMS 密钥具有权限: [See the AWS documentation website for more details](http://docs.amazonaws.cn/kms/latest/developerguide/kms-api-permissions-reference.html) **
- **策略类型:** 密钥策略
- **跨账户使用:** 是
- **资源(适用于 IAM policy):** KMS 密钥
- **Amazon KMS 条件键:** *加密操作的条件*
[kms: EncryptionAlgorithm](conditions-kms.md#conditions-kms-encryption-algorithm)
[kms: RequestAlias](conditions-kms.md#conditions-kms-request-alias)
*加密上下文条件:*
[kms:EncryptionContext: *上下文*密钥](conditions-kms.md#conditions-kms-encryption-context-keys)
[kms: EncryptionContextKeys](conditions-kms.md#conditions-kms-encryption-context-keys)
*KMS 密钥操作的条件:*
[kms: CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms: KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms: KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms: KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms: MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms: MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms: ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
a@@ [ws:ResourceTag/*tag-key(Amazon 全局条件密钥*](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag))
[kms: ViaService](conditions-kms.md#conditions-kms-via-service)
*其他条件:*
[kms: ReEncryptOnSameKey](conditions-kms.md#conditions-kms-reencrypt-on-same-key)
- ** [ReplicateKey](https://docs.amazonaws.cn/kms/latest/APIReference/API_ReplicateKey.html) `kms:ReplicateKey` 要使用此操作,调用方需要具有以下权限: [See the AWS documentation website for more details](http://docs.amazonaws.cn/kms/latest/developerguide/kms-api-permissions-reference.html) **
- **策略类型:** 密钥策略
- **跨账户使用:** 否
- **资源(适用于 IAM policy):** KMS 密钥
- **Amazon KMS 条件键:** *KMS 密钥操作的条件:*
[kms: CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms: KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms: KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms: KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms: MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms: MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms: ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
a@@ [ws:ResourceTag/*tag-key(Amazon 全局条件密钥*](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag))
[kms: ViaService](conditions-kms.md#conditions-kms-via-service)
*其他条件:*
[kms: ReplicaRegion](conditions-kms.md#conditions-kms-replica-region)
- ** [RetireGrant](https://docs.amazonaws.cn/kms/latest/APIReference/API_RetireGrant.html) `kms:RetireGrant` 撤销授予的权限主要由授予决定。单独的策略无法允许访问此操作。有关更多信息,请参阅[停用和撤销授权](grant-delete.md)。 **
- **策略类型:** IAM 策略
(此权限在密钥策略中无效。)
- **跨账户使用:** 是
- **资源(适用于 IAM policy):** KMS 密钥
- **Amazon KMS 条件键:** *加密上下文条件:*
[kms:EncryptionContext: *上下文*密钥](conditions-kms.md#conditions-kms-encryption-context-keys)
[kms: EncryptionContextKeys](conditions-kms.md#conditions-kms-encryption-context-keys)
*授予条件:*
[kms: GrantConstraintType](conditions-kms.md#conditions-kms-grant-constraint-type)
*KMS 密钥操作的条件:*
[kms: CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms: ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
a@@ [ws:ResourceTag/*tag-key(Amazon 全局条件密钥*](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag))
[kms: ViaService](conditions-kms.md#conditions-kms-via-service)
- ** [RevokeGrant](https://docs.amazonaws.cn/kms/latest/APIReference/API_RevokeGrant.html) `kms:RevokeGrant` **
- **策略类型:** 密钥策略
- **跨账户使用:** 是
- **资源(适用于 IAM policy):** KMS 密钥
- **Amazon KMS 条件键:** *KMS 密钥操作的条件:*
[kms: CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms: KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms: KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms: KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms: MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms: MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms: ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
a@@ [ws:ResourceTag/*tag-key(Amazon 全局条件密钥*](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag))
[kms: ViaService](conditions-kms.md#conditions-kms-via-service)
*其他条件:*
[kms: GrantIsFor AWSResource](conditions-kms.md#conditions-kms-grant-is-for-aws-resource)
- ** [RotateKeyOnDemand](https://docs.amazonaws.cn/kms/latest/APIReference/API_RotateKeyOnDemand.html) `kms:RotateKeyOnDemand` **
- **策略类型:** 密钥策略
- **跨账户使用:** 否
- **资源(适用于 IAM policy):** KMS 密钥
- **Amazon KMS 条件键:** *KMS 密钥操作的条件:*
[kms: CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms: KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms: KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms: KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms: MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms: MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms: ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
a@@ [ws:ResourceTag/*tag-key(Amazon 全局条件密钥*](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag))
[kms: ViaService](conditions-kms.md#conditions-kms-via-service)
- ** [ScheduleKeyDeletion](https://docs.amazonaws.cn/kms/latest/APIReference/API_ScheduleKeyDeletion.html) `kms:ScheduleKeyDeletion` **
- **策略类型:** 密钥策略
- **跨账户使用:** 否
- **资源(适用于 IAM policy):** KMS 密钥
- **Amazon KMS 条件键:** *KMS 密钥操作的条件:*
[kms: CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms: KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms: KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms: KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms: MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms: MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms: ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
a@@ [ws:ResourceTag/*tag-key(Amazon 全局条件密钥*](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag))
[kms: ViaService](conditions-kms.md#conditions-kms-via-service)
- ** [Sign](https://docs.amazonaws.cn/kms/latest/APIReference/API_Sign.html) `kms:Sign` **
- **策略类型:** 密钥策略
- **跨账户使用:** 是
- **资源(适用于 IAM policy):** KMS 密钥
- **Amazon KMS 条件键:** *签名和验证条件:*
[kms: MessageType](conditions-kms.md#conditions-kms-message-type)[kms: RequestAlias](conditions-kms.md#conditions-kms-request-alias)
[kms: SigningAlgorithm](conditions-kms.md#conditions-kms-signing-algorithm)
*KMS 密钥操作的条件:*
[kms: CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms: KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms: KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms: KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms: MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms: MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms: ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
a@@ [ws:ResourceTag/*tag-key(Amazon 全局条件密钥*](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag))
[kms: ViaService](conditions-kms.md#conditions-kms-via-service)
- ** [TagResource](https://docs.amazonaws.cn/kms/latest/APIReference/API_TagResource.html) `kms:TagResource` **
- **策略类型:** 密钥策略
- **跨账户使用:** 否
- **资源(适用于 IAM policy):** KMS 密钥
- **Amazon KMS 条件键:** *KMS 密钥操作的条件:*
[kms: CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms: KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms: KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms: KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms: MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms: MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms: ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
a@@ [ws:ResourceTag/*tag-key(Amazon 全局条件密钥*](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag))
[kms: ViaService](conditions-kms.md#conditions-kms-via-service)
*标记条件:*
a@@ [ws:RequestTag/*tag-key(Amazon 全局条件密钥*](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag))
a@@ [ws: TagKeys](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)(Amazon 全局条件密钥)
- ** [UntagResource](https://docs.amazonaws.cn/kms/latest/APIReference/API_UntagResource.html) `kms:UntagResource` **
- **策略类型:** 密钥策略
- **跨账户使用:** 否
- **资源(适用于 IAM policy):** KMS 密钥
- **Amazon KMS 条件键:** *KMS 密钥操作的条件:*
[kms: CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms: KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms: KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms: KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms: MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms: MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms: ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
a@@ [ws:ResourceTag/*tag-key(Amazon 全局条件密钥*](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag))
[kms: ViaService](conditions-kms.md#conditions-kms-via-service)
*标记条件:*
a@@ [ws:RequestTag/*tag-key(Amazon 全局条件密钥*](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag))
a@@ [ws: TagKeys](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys)(Amazon 全局条件密钥)
- ** [UpdateAlias](https://docs.amazonaws.cn/kms/latest/APIReference/API_UpdateAlias.html) `kms:UpdateAlias` 要使用此操作,调用方需要对以下三个资源具有 `kms:UpdateAlias` 权限: [See the AWS documentation website for more details](http://docs.amazonaws.cn/kms/latest/developerguide/kms-api-permissions-reference.html) 有关更多信息,请参阅 [控制对别名的访问](alias-access.md)。 **
- **策略类型:** IAM policy(适用于别名) / **跨账户使用:** 否 / **资源(适用于 IAM policy):** Alias / **Amazon KMS 条件键:** 无(控制对别名的访问时)
- **策略类型:** 密钥策略(适用于 KMS 密钥) / **跨账户使用:** 否 / **资源(适用于 IAM policy):** KMS 密钥 / **Amazon KMS 条件键:** *KMS 密钥操作的条件:*
[kms: CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms: KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms: KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms: KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms: MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms: MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms: ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
a@@ [ws:ResourceTag/*tag-key(Amazon 全局条件密钥*](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag))
[kms: ViaService](conditions-kms.md#conditions-kms-via-service)
- **[UpdateCustomKeyStore](https://docs.amazonaws.cn/kms/latest/APIReference/API_UpdateCustomKeyStore.html)`kms:UpdateCustomKeyStore`**
- **策略类型:** IAM 策略
- **跨账户使用:** 否
- **资源(适用于 IAM policy):** `*`
- **Amazon KMS 条件键:** [kms: CallerAccount](conditions-kms.md#conditions-kms-caller-account)
- ** [UpdateKeyDescription](https://docs.amazonaws.cn/kms/latest/APIReference/API_UpdateKeyDescription.html) `kms:UpdateKeyDescription` **
- **策略类型:** 密钥策略
- **跨账户使用:** 否
- **资源(适用于 IAM policy):** KMS 密钥
- **Amazon KMS 条件键:** *KMS 密钥操作的条件:*
[kms: CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms: KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms: KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms: KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms: MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms: MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms: ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
a@@ [ws:ResourceTag/*tag-key(Amazon 全局条件密钥*](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag))
[kms: ViaService](conditions-kms.md#conditions-kms-via-service)
- ** [UpdatePrimaryRegion](https://docs.amazonaws.cn/kms/latest/APIReference/API_UpdatePrimaryRegion.html) `kms:UpdatePrimaryRegion` 要使用此操作,调用方需要对将成为副本密钥的[多区域主键](multi-region-keys-overview.md#mrk-primary-key)和将成为主键的[多区域副本密钥](multi-region-keys-overview.md#mrk-replica-key)同时具有 `kms:UpdatePrimaryRegion` 权限。 **
- **策略类型:** 密钥策略
- **跨账户使用:** 否
- **资源(适用于 IAM policy):** KMS 密钥
- **Amazon KMS 条件键:** *KMS 密钥操作的条件:*
[kms: CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms: KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms: KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms: KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms: MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms: MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms: ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
a@@ [ws:ResourceTag/*tag-key(Amazon 全局条件密钥*](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag))
[kms: ViaService](conditions-kms.md#conditions-kms-via-service)
*其他条件*
[kms: PrimaryRegion](conditions-kms.md#conditions-kms-primary-region)
- ** [Verify](https://docs.amazonaws.cn/kms/latest/APIReference/API_Verify.html) `kms:Verify` **
- **策略类型:** 密钥策略
- **跨账户使用:** 是
- **资源(适用于 IAM policy):** KMS 密钥
- **Amazon KMS 条件键:** *签名和验证条件:*
[kms: MessageType](conditions-kms.md#conditions-kms-message-type)[kms: RequestAlias](conditions-kms.md#conditions-kms-request-alias)
[kms: SigningAlgorithm](conditions-kms.md#conditions-kms-signing-algorithm)
*KMS 密钥操作的条件:*
[kms: CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms: KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms: KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms: KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms: MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms: MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms: ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
a@@ [ws:ResourceTag/*tag-key(Amazon 全局条件密钥*](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag))
[kms: ViaService](conditions-kms.md#conditions-kms-via-service)
- **[VerifyMac](https://docs.amazonaws.cn/kms/latest/APIReference/API_VerifyMac.html)`kms:VerifyMac`**
- **策略类型:** 密钥策略
- **跨账户使用:** 是
- **资源(适用于 IAM policy):** KMS 密钥
- **Amazon KMS 条件键:** *KMS 密钥操作的条件:*
[kms: CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms: KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms: KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms: KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms: MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms: MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms: ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
a@@ [ws:ResourceTag/*tag-key(Amazon 全局条件密钥*](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag))
[kms: ViaService](conditions-kms.md#conditions-kms-via-service)加密操作的条件:
[kms: MacAlgorithm](conditions-kms.md#conditions-kms-mac-algorithm)
[kms: RequestAlias](conditions-kms.md#conditions-kms-request-alias)
## 列描述
此表中的各列提供以下信息:
+ **操作和权限**列出了每个 Amazon KMS API 操作以及允许该操作的权限。您可以在策略语句的 `Action` 元素中指定操作。
+ **策略类型**指示权限是否可在密钥策略或 IAM policy 中使用。
*密钥策略*意味着您可以在密钥策略中指定权限。当密钥政策包含[启用 IAM policy 的策略语句](key-policy-default.md#key-policy-default-allow-root-enable-iam)时,您可以在 IAM policy 中指定权限。
*IAM policy* 意味着您只能在 IAM policy 中指定权限。
+ **跨账户使用**显示了授权用户可以对其他 Amazon Web Services 账户中的资源执行的操作。
值 *Yes*(是)表示委托人可以对其他 Amazon Web Services 账户中的资源执行操作。
值 *No*(否)表示委托人只能对其自己的 Amazon Web Services 账户中的资源执行操作。
如果您为不同账户中的委托人授予一个不能在跨账户资源上使用的权限,则该权限将无效。例如,如果您向其他账户中的委托人授予对您账户中 [K](https://docs.amazonaws.cn/kms/latest/APIReference/API_TagResource.html) MS 密钥的TagResource权限,则他们尝试在您的账户中标记 KMS 密钥将失败。
+ **资源**列出了权限适用的 Amazon KMS 资源。 Amazon KMS 支持两种资源类型:KMS 密钥和别名。在密钥策略中,`Resource` 元素的值始终为 `*`,这表示密钥策略附加到的 KMS 密钥。
使用以下值表示 IAM 策略中的 Amazon KMS 资源。
**KMS 密钥**
当资源是 KMS 密钥时,请使用其[密钥 ARN](concepts.md#key-id-key-ARN)。有关帮助信息,请参阅 [查找密钥 ID 和密钥 ARN](find-cmk-id-arn.md)。
`arn:{{Amazon_partition_name}}:kms:{{Amazon_Region}}:{{Amazon_account_ID}}:key/{{key_ID}}`
例如:
arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
**Alias**
当资源是别名时,请使用其[别名 ARN](concepts.md#key-id-alias-ARN)。有关帮助信息,请参阅 [查找 KMS 密钥的别名和别名 ARN](alias-view.md)。
`arn:{{Amazon_partition_name}}:kms:{{Amazon_region}}:{{Amazon_account_ID}}:alias/{{alias_name}}`
例如:
arn: aws: kms: us-west-2:111122223333: alias/ ExampleAlias
**`*`(星号)**
当权限不适用于特定资源(KMS 密钥或别名)时,请使用星号 (`*`)。
在 IAM Amazon KMS 权限策略中,`Resource`元素中的星号表示所有 Amazon KMS 资源(KMS 密钥和别名)。当 Amazon KMS 权限不适用于任何特定的 KMS 密钥或别名时,您也可以在`Resource`元素中使用星号。例如,允许或拒绝 `kms:CreateKey` 或 `kms:ListKeys` 权限时,必须将 `Resource` 元素设置为 `*`。
+ **Amazon KMS 条件键**列出了可用于控制对操作的访问的 Amazon KMS 条件键。您可以在策略的 `Condition` 元素中指定条件。有关更多信息,请参阅 [Amazon KMS 条件键](conditions-kms.md)。此列还包括所有服务都支持但并非所有 Amazon 服务都支持的[AmazonAmazon KMS全局条件键](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html)。