AWS KMS permissions - AWS Key Management Service (original) (raw)

This table is designed to help you understand AWS KMS permissions so you can control access to your AWS KMS resources. Definitions of the column headings appear below the table.

For more information on which AWS KMS operations are valid for symmetric encryption KMS keys, asymmetric KMS keys, and HMAC KMS keys, see the Key type reference.

Actions and permissions	Policy type	Cross-account use	Resources (for IAM policies)	AWS KMS condition keys
CancelKeyDeletion kms:CancelKeyDeletion	Key policy	No	KMS key	Conditions for KMS key operations:kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
ConnectCustomKeyStore kms:ConnectCustomKeyStore	IAM policy	No	*	kms:CallerAccount
CreateAlias kms:CreateAlias To use this operation, the caller needs kms:CreateAlias permission on two resources: The alias (in an IAM policy) The KMS key (in a key policy) For details, see Controlling access to aliases.	IAM policy (for the alias)	No	Alias	None (when controlling access to the alias)
Key policy (for the KMS key)	No	KMS key	Conditions for KMS key operations:kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
CreateCustomKeyStorekms:CreateCustomKeyStore	IAM policy	No	*	kms:CallerAccount
CreateGrant kms:CreateGrant	Key policy	Yes	KMS key	Encryption context conditions: kms:EncryptionContext:context-key kms:EncryptionContextKeys Grant conditions: kms:GrantConstraintType kms:GranteePrincipal kms:GrantIsForAWSResource kms:GrantOperations kms:RetiringPrincipalConditions for KMS key operations:kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
CreateKey kms:CreateKey	IAM policy	No	*	kms:BypassPolicyLockoutSafetyCheck kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ViaService aws:RequestTag/tag-key (AWS global condition key) aws:ResourceTag/tag-key (AWS global condition key) aws:TagKeys (AWS global condition key)
Decrypt kms:Decrypt	Key policy	Yes	KMS key	Conditions for cryptographic operations kms:EncryptionAlgorithm kms:RequestAlias Encryption context conditions: kms:EncryptionContext:context-key kms:EncryptionContextKeys Conditions for KMS key operations:kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
DeleteAlias kms:DeleteAlias To use this operation, the caller needs kms:DeleteAlias permission on two resources: The alias (in an IAM policy) The KMS key (in a key policy) For details, see Controlling access to aliases.	IAM policy (for the alias)	No	Alias	None (when controlling access to the alias)
Key policy (for the KMS key)	No	KMS key	Conditions for KMS key operations:kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
DeleteCustomKeyStorekms:DeleteCustomKeyStore	IAM policy	No	*	kms:CallerAccount
DeleteImportedKeyMaterial kms:DeleteImportedKeyMaterial	Key policy	No	KMS key	Conditions for KMS key operations:kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
DeriveSharedSecretkms:DeriveSharedSecret	Key policy	Yes	KMS key	Conditions for KMS key operations:kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService Conditions for cryptographic operations: kms:KeyAgreementAlgorithm
DescribeCustomKeyStoreskms:DescribeCustomKeyStores	IAM policy	No	*	kms:CallerAccount
DescribeKey kms:DescribeKey	Key policy	Yes	KMS key	Conditions for KMS key operations:kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService Other conditions: kms:RequestAlias
DisableKey kms:DisableKey	Key policy	No	KMS key	Conditions for KMS key operations:kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
DisableKeyRotation kms:DisableKeyRotation	Key policy	No	KMS key	Conditions for KMS key operations:kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
DisconnectCustomKeyStorekms:DisconnectCustomKeyStore	IAM policy	No	*	kms:CallerAccount
EnableKey kms:EnableKey	Key policy	No	KMS key	Conditions for KMS key operations:kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
EnableKeyRotation kms:EnableKeyRotation	Key policy	No	KMS key	Conditions for KMS key operations:kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService Automatic key rotation conditions: kms:RotationPeriodInDays
Encrypt kms:Encrypt	Key policy	Yes	KMS key	Conditions for cryptographic operations kms:EncryptionAlgorithm kms:RequestAlias Encryption context conditions: kms:EncryptionContext:context-key kms:EncryptionContextKeys Conditions for KMS key operations:kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
GenerateDataKey kms:GenerateDataKey	Key policy	Yes	KMS key	Conditions for cryptographic operations kms:EncryptionAlgorithm kms:RequestAlias Encryption context conditions: kms:EncryptionContext:context-key kms:EncryptionContextKeys Conditions for KMS key operations:kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
GenerateDataKeyPair kms:GenerateDataKeyPair	Key policy	Yes	KMS key Generates an asymmetric data key pair that is protected by a symmetric encryption KMS key.	Conditions for data key pairs: kms:DataKeyPairSpec Conditions for cryptographic operations kms:EncryptionAlgorithm kms:RequestAlias Encryption context conditions: kms:EncryptionContext:context-key kms:EncryptionContextKeys Conditions for KMS key operations:kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
GenerateDataKeyPairWithoutPlaintext kms:GenerateDataKeyPairWithoutPlaintext	Key policy	Yes	KMS key Generates an asymmetric data key pair that is protected by a symmetric encryption KMS key.	Conditions for data key pairs: kms:DataKeyPairSpec Conditions for cryptographic operations kms:EncryptionAlgorithm kms:RequestAlias Encryption context conditions: kms:EncryptionContext:context-key kms:EncryptionContextKeys Conditions for KMS key operations:kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
GenerateDataKeyWithoutPlaintext kms:GenerateDataKeyWithoutPlaintext	Key policy	Yes	KMS key	Conditions for cryptographic operations kms:EncryptionAlgorithm kms:RequestAlias Encryption context conditions: kms:EncryptionContext:context-key kms:EncryptionContextKeys Conditions for KMS key operations:kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
GenerateMackms:GenerateMac	Key policy	Yes	KMS key	Conditions for KMS key operations:kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService Conditions for cryptographic operations: kms:MacAlgorithm kms:RequestAlias
GenerateRandom kms:GenerateRandom	IAM policy	N/A	*	None
GetKeyPolicy kms:GetKeyPolicy	Key policy	No	KMS key	Conditions for KMS key operations:kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
GetKeyRotationStatus kms:GetKeyRotationStatus	Key policy	Yes	KMS key	Conditions for KMS key operations:kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
GetParametersForImport kms:GetParametersForImport	Key policy	No	KMS key	kms:WrappingAlgorithm kms:WrappingKeySpec Conditions for KMS key operations:kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
GetPublicKey kms:GetPublicKey	Key policy	Yes	KMS key	Conditions for KMS key operations:kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService Other conditions: kms:RequestAlias
ImportKeyMaterial kms:ImportKeyMaterial	Key policy	No	KMS key	Conditions for KMS key operations:kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService Other conditions:kms:ExpirationModel kms:ValidTo
ListAliases kms:ListAliases	IAM policy	No	*	None
ListGrants kms:ListGrants	Key policy	Yes	KMS key	Conditions for KMS key operations:kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService Other conditions: kms:GrantIsForAWSResource
ListKeyPolicies kms:ListKeyPolicies	Key policy	No	KMS key	Conditions for KMS key operations:kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
ListKeyRotations kms:ListKeyRotations	Key policy	No	KMS key	Conditions for KMS key operations:kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
ListKeys kms:ListKeys	IAM policy	No	*	None
ListResourceTags kms:ListResourceTags	Key policy	No	KMS key	Conditions for KMS key operations:kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
ListRetirableGrants kms:ListRetirableGrants	IAM policy	The specified principal must be in the local account, but the operation returns grants in all accounts.	*	None
PutKeyPolicy kms:PutKeyPolicy	Key policy	No	KMS key	Conditions for KMS key operations:kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService Other conditions: kms:BypassPolicyLockoutSafetyCheck
ReEncrypt kms:ReEncryptFrom kms:ReEncryptTo To use this operation, the caller needs permission on two KMS keys: kms:ReEncryptFrom on the KMS key used to decrypt kms:ReEncryptTo on the KMS key used to encrypt	Key policy	Yes	KMS key	Conditions for cryptographic operations kms:EncryptionAlgorithm kms:RequestAlias Encryption context conditions: kms:EncryptionContext:context-key kms:EncryptionContextKeys Conditions for KMS key operations:kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService Other conditions: kms:ReEncryptOnSameKey
ReplicateKey kms:ReplicateKey To use this operation, the caller needs the following permissions: kms:ReplicateKey on the multi-Region primary key kms:CreateKey in an IAM policy in the replica Region	Key policy	No	KMS key	Conditions for KMS key operations:kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService Other conditions: kms:ReplicaRegion
RetireGrant kms:RetireGrant Permission to retire a grant is determined primarily by the grant. A policy alone cannot allow access to this operation. For more information, see Retiring and revoking grants.	IAM policy (This permission is not effective in a key policy.)	Yes	KMS key	Encryption context conditions: kms:EncryptionContext:context-key kms:EncryptionContextKeys Grant conditions: kms:GrantConstraintType Conditions for KMS key operations: kms:CallerAccount kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
RevokeGrant kms:RevokeGrant	Key policy	Yes	KMS key	Conditions for KMS key operations:kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService Other conditions: kms:GrantIsForAWSResource
RotateKeyOnDemand kms:RotateKeyOnDemand	Key policy	No	KMS key	Conditions for KMS key operations:kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
ScheduleKeyDeletion kms:ScheduleKeyDeletion	Key policy	No	KMS key	Conditions for KMS key operations:kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
Sign kms:Sign	Key policy	Yes	KMS key	Conditions for signing and verification: kms:MessageType kms:RequestAlias kms:SigningAlgorithm Conditions for KMS key operations:kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
TagResource kms:TagResource	Key policy	No	KMS key	Conditions for KMS key operations:kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService Conditions for tagging: aws:RequestTag/tag-key (AWS global condition key) aws:TagKeys (AWS global condition key)
UntagResource kms:UntagResource	Key policy	No	KMS key	Conditions for KMS key operations:kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService Conditions for tagging: aws:RequestTag/tag-key (AWS global condition key) aws:TagKeys (AWS global condition key)
UpdateAlias kms:UpdateAlias To use this operation, the caller needs kms:UpdateAlias permission on three resources: The alias The currently associated KMS key The newly associated KMS key For details, see Controlling access to aliases.	IAM policy (for the alias)	No	Alias	None (when controlling access to the alias)
Key policy (for the KMS keys)	No	KMS key	Conditions for KMS key operations:kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
UpdateCustomKeyStorekms:UpdateCustomKeyStore	IAM policy	No	*	kms:CallerAccount
UpdateKeyDescription kms:UpdateKeyDescription	Key policy	No	KMS key	Conditions for KMS key operations:kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
UpdatePrimaryRegion kms:UpdatePrimaryRegion To use this operation, the caller needs kms:UpdatePrimaryRegion permission on both the multi-Region primary key that will become a replica key and the multi-Region replica key that will become the primary key.	Key policy	No	KMS key	Conditions for KMS key operations:kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService Other conditions kms:PrimaryRegion
Verify kms:Verify	Key policy	Yes	KMS key	Conditions for signing and verification: kms:MessageType kms:RequestAlias kms:SigningAlgorithm Conditions for KMS key operations:kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService
VerifyMackms:VerifyMac	Key policy	Yes	KMS key	Conditions for KMS key operations:kms:CallerAccount kms:KeySpec kms:KeyUsage kms:KeyOrigin kms:MultiRegion kms:MultiRegionKeyType kms:ResourceAliases aws:ResourceTag/tag-key (AWS global condition key) kms:ViaService Conditions for cryptographic operations: kms:MacAlgorithm kms:RequestAlias

Actions and permissions lists each AWS KMS API operation and the permission that allows the operation. You specify the operation inAction element of a policy statement.
Policy type indicates whether the permission can be used in a key policy or IAM policy.
Key policy means that you can specify the permission in the key policy. When the key policy contains the policy statement that enables IAM policies, you can specify the permission in an IAM policy.
IAM policy means that you can specify the permission only in an IAM policy.
Cross-account use shows the operations that authorized users can perform on resources in a different AWS account.
A value of Yes means that principals can perform the operation on resources in a different AWS account.
A value of No means that principals can perform the operation only on resources in their own AWS account.
If you give a principal in a different account a permission that can't be used on a cross-account resource, the permission is not effective. For example, if you give a principal in a different account kms:TagResource permission to a KMS key in your account, their attempts to tag the KMS key in your account will fail.
Resources lists the AWS KMS resources to which the permissions apply. AWS KMS supports two resource types: a KMS key and an alias. In a key policy, the value of the Resource element is always *, which indicates the KMS key to which the key policy is attached.
Use the following values to represent an AWS KMS resource in an IAM policy.
KMS key
When the resource is a KMS key, use its key ARN. For help, see Find the key ID and key ARN.
arn:`AWS_partition_name`:kms:`AWS_Region`:`AWS_account_ID`:key/`key_ID`
For example:
arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
Alias
When the resource is an alias, use its alias ARN. For help, see Find the alias name and alias ARN for a KMS key.
arn:`AWS_partition_name`:kms:`AWS_region`:`AWS_account_ID`:alias/`alias_name`
For example:
arn:aws:kms:us-west-2:111122223333:alias/ExampleAlias
* (asterisk)
When the permission doesn't apply to a particular resource (KMS key or alias), use an asterisk (*).
In an IAM policy for an AWS KMS permission, an asterisk in the Resource element indicates all AWS KMS resources (KMS keys and aliases). You can also use an asterisk in the Resource element when the AWS KMS permission doesn't apply to any particular KMS keys or aliases. For example, when allowing or denyingkms:CreateKey or kms:ListKeys permission, you must set theResource element to *.
AWS KMS condition keys lists the AWS KMS condition keys that you can use to control access to the operation. You specify conditions in a policy'sCondition element. For more information, see AWS KMS condition keys. This column also includes AWS global condition keys that are supported by AWS KMS, but not by all AWS services.