AWS KMS API Permissions: Actions and Resources Reference
When you are setting up access control with key policies and IAM
policies, you can use the following table as a reference. The first column in the table
lists each AWS KMS API operation and the corresponding action (permission) that allows the
operation. You specify actions in a policy's Action element. The remaining columns
provide the following additional information:
The type of policy you must use to allow permissions to perform the operation. When the key policy is required, you can allow the permissions directly in the key policy, or you can ensure the key policy contains the policy statement that enables IAM policies and then allow the permissions in an IAM policy.
The resource or resources for which you can allow the operation. You specify resources in a policy's
Resourceelement. For key policies, you always specify"*"for the resource, which effectively means "this CMK." A key policy applies only to the CMK it is attached to. For IAM policies, you can specify the Amazon Resource Name (ARN) for a specific resource or set of resources.The AWS KMS condition keys you can use to control access to the operation. You specify conditions in a policy's
Conditionelement. For more information, see AWS KMS Condition Keys.
If you see an expand arrow (↗) in the upper-right corner of the table, you can open the table in a new window. To close the window, choose the close button (X) in the lower-right corner.
AWS KMS API Operations and Permissions
| API Operations and Actions (Permissions) | Policy Type | Resources and ARNs (for IAM Policies) | AWS KMS Condition Keys |
|---|---|---|---|
|
|
Key policy |
CMK
|
|
|
This operation requires access to two resources, an alias and a CMK, and requires permissions for both. |
IAM policy (for the alias) |
Alias
| None (when controlling access to the alias) |
|
Key policy (for the CMK) |
CMK
|
| |
|
|
Key policy |
CMK
|
|
|
|
IAM policy |
|
|
|
|
Key policy |
CMK
|
|
|
This operation requires access to two resources, an alias and a CMK, and requires permissions for both. |
IAM policy (for the alias) |
Alias
| None (when controlling access to the alias) |
|
Key policy (for the CMK) |
CMK
|
| |
|
|
Key policy |
CMK
|
|
|
|
Key policy |
CMK
|
|
|
|
Key policy |
CMK
|
|
|
|
Key policy |
CMK
|
|
|
|
Key policy |
CMK
|
|
|
|
Key policy |
CMK
|
|
|
|
Key policy |
CMK
|
|
|
GenerateDataKeyWithoutPlaintext
|
Key policy |
CMK
|
|
|
|
IAM policy |
| None |
|
|
Key policy |
CMK
|
|
|
|
Key policy |
CMK
|
|
|
|
IAM policy |
| None |
|
|
Key policy |
CMK
|
|
|
|
Key policy |
CMK
|
|
|
|
IAM policy |
| None |
|
|
IAM policy |
| None |
|
|
Key policy |
CMK
|
|
|
This operation requires access to two CMKs, one for the decryption
( |
Key policy |
CMK
|
|
|
Permission to retire a grant is specified in the grant. You cannot control access to this operation in a policy. For more information, see RetireGrant in the AWS Key Management Service API Reference. |
Not applicable |
Not applicable |
Not applicable |
|
|
Key policy |
CMK
|
|
|
|
Key policy |
CMK
|
|
|
This operation requires access to three resources, one alias and two CMKs, the one
that the alias currently points to, and the new target CMK specified in the
|
IAM policy (for the alias) |
Alias
| None (when controlling access to the alias) |
|
Key policy (for the CMKs) |
CMK
|
| |
|
|
Key policy |
CMK
|
|
