docs.aws.amazon.com Open in urlscan Pro
108.157.4.127  Public Scan

Submitted URL: https://docs.aws.amazon.com/kms/latest/developerguide/customer-managed-policies.html#iam-policy-example-encrypt-decrypt-one-...
Effective URL: https://docs.aws.amazon.com/kms/latest/developerguide/customer-managed-policies.html
Submission: On February 21 via api from US — Scanned from DE

Form analysis 0 forms found in the DOM

Text Content

SELECT YOUR COOKIE PREFERENCES

We use essential cookies and similar tools that are necessary to provide our
site and services. We use performance cookies to collect anonymous statistics so
we can understand how customers use our site and make improvements. Essential
cookies cannot be deactivated, but you can click “Customize cookies” to decline
performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide
useful site features, remember your preferences, and display relevant content,
including relevant advertising. To continue without accepting these cookies,
click “Continue without accepting.” To make more detailed choices or learn more,
click “Customize cookies.”

Accept all cookiesContinue without acceptingCustomize cookies


CUSTOMIZE COOKIE PREFERENCES

We use cookies and similar tools (collectively, "cookies") for the following
purposes.


ESSENTIAL

Essential cookies are necessary to provide our site and services and cannot be
deactivated. They are usually set in response to your actions on the site, such
as setting your privacy preferences, signing in, or filling in forms.




PERFORMANCE

Performance cookies provide anonymous statistics about how customers navigate
our site so we can improve site experience and performance. Approved third
parties may perform analytics on our behalf, but they cannot use the data for
their own purposes.

Allow performance category
Allowed


FUNCTIONAL

Functional cookies help us provide useful site features, remember your
preferences, and display relevant content. Approved third parties may set these
cookies to provide certain site features. If you do not allow these cookies,
then some or all of these services may not function properly.

Allow functional category
Allowed


ADVERTISING

Advertising cookies may be set through our site by us or our advertising
partners and help us deliver relevant marketing content. If you do not allow
these cookies, you will experience less relevant advertising.

Allow advertising category
Allowed

Blocking some types of cookies may impact your experience of our sites. You may
review and change your choices at any time by clicking Cookie preferences in the
footer of this site. We and selected third-parties use cookies or similar
technologies as specified in the AWS Cookie Notice

.

CancelSave preferences




UNABLE TO SAVE COOKIE PREFERENCES

We will only store essential cookies at this time, because we were unable to
save your cookie preferences.

If you want to change your cookie preferences, try again later using the link in
the AWS console footer, or contact support if the problem persists.

Dismiss


Contact Us
English


Create an AWS Account
 1. AWS
 2. ...
    
    
 3. Documentation
 4. AWS KMS
 5. Developer Guide

Feedback
Preferences


AWS KEY MANAGEMENT SERVICE


DEVELOPER GUIDE

 * AWS Key Management Service
    * Concepts

 * Managing keys
    * Creating keys
    * Using aliases
       * About aliases
       * Managing aliases
       * Using aliases in your applications
       * Controlling access to aliases
       * Using aliases to control access to KMS keys
       * Finding aliases in AWS CloudTrail logs
   
    * Viewing keys
       * Viewing KMS keys in the console
       * Viewing KMS keys with the API
       * Viewing the cryptographic configuration
       * Finding the key ID and key ARN
       * Finding the alias name and alias ARN
   
    * Editing keys
    * Tagging keys
       * About tags in AWS KMS
       * Managing KMS key tags in the console
       * Managing KMS key tags with API operations
       * Controlling access to tags
       * Using tags to control access to KMS keys
   
    * Enabling and disabling keys
    * Rotating keys
    * Monitoring keys
       * Logging with AWS CloudTrail
          * Examples of AWS KMS log entries
             * CancelKeyDeletion
             * ConnectCustomKeyStore
             * CreateAlias
             * CreateCustomKeyStore
             * CreateGrant
             * CreateKey
             * Decrypt
             * Decrypt (from an enclave)
             * DeleteAlias
             * DeleteCustomKeyStore
             * DeleteExpiredKeyMaterial
             * DeleteImportedKeyMaterial
             * DeleteKey
             * DescribeCustomKeyStores
             * DescribeKey
             * DisableKey
             * DisableKeyRotation
             * DisconnectCustomKeyStore
             * EnableKey
             * EnableKeyRotation
             * Encrypt
             * GenerateDataKey
             * GenerateDataKey (from an enclave)
             * GenerateDataKeyPair
             * GenerateDataKeyPairWithoutPlaintext
             * GenerateDataKeyWithoutPlaintext
             * GenerateMac
             * GenerateRandom
             * GenerateRandom (from an enclave)
             * GetKeyPolicy
             * GetKeyRotationStatus
             * GetParametersForImport
             * ImportKeyMaterial
             * ListAliases
             * ListGrants
             * PutKeyPolicy
             * ReEncrypt
             * ReplicateKey
             * RetireGrant
             * RevokeGrant
             * RotateKey
             * ScheduleKeyDeletion
             * Sign
             * SynchronizeMultiRegionKey
             * TagResource
             * UntagResource
             * UpdateAlias
             * UpdateCustomKeyStore
             * UpdateKeyDescription
             * UpdatePrimaryRegion
             * VerifyMac
             * Verify
             * Amazon EC2 example one
             * Amazon EC2 example two
      
       * Monitoring with CloudWatch
       * Monitoring with Amazon EventBridge
   
    * Using CloudFormation templates
    * Deleting keys
       * Controlling access to key deletion
       * Scheduling and canceling key deletion
       * Creating an alarm
       * Determining past usage of a KMS key
   
    * Key state reference

 * Authentication and access control
    * Key policies
       * Creating a key policy
       * Default key policy
       * Viewing a key policy
       * Changing a key policy
       * Permissions for AWS services
   
    * IAM policies
       * Overview of IAM policies
       * Best practices for IAM policies
       * Specifying KMS keys in IAM policy statements
       * Permissions required to use the AWS KMS console
       * AWS managed policy for power users
       * Examples
   
    * Grants
       * Creating grants
       * Managing grants
   
    * VPC endpoint
    * Condition keys
       * AWS global condition keys
       * AWS KMS condition keys
       * AWS KMS condition keys for AWS Nitro Enclaves
   
    * Attribute-based access control (ABAC)
    * Cross-account access
    * Service-linked roles
    * Hybrid post-quantum TLS
    * Determining access
       * Examining the key policy
       * Examining IAM policies
       * Examining grants
       * Troubleshooting key access
   
    * Permissions reference

 * Special-purpose keys
    * Asymmetric keys
       * Creating asymmetric KMS keys
       * Downloading public keys
       * Identifying asymmetric KMS keys
       * Asymmetric key specs
   
    * HMAC keys
       * Creating HMAC keys
       * Controlling access to HMAC keys
       * Viewing HMAC keys
   
    * Multi-Region keys
       * Controlling access
       * Creating multi-Region keys
          * Creating primary keys
          * Creating replica keys
      
       * Viewing multi-Region keys
       * Managing multi-Region keys
       * Importing key material into multi-Region keys
       * Deleting multi-Region keys
   
    * Imported key material
       * Step 1: Create a KMS key with no key material
       * Step 2: Download the public key and import token
       * Step 3: Encrypt the key material
       * Step 4: Import the key material
   
    * Custom key stores
       * AWS CloudHSM key stores
          * AWS CloudHSM key store concepts
          * Controlling access to your AWS CloudHSM key store
          * Managing a CloudHSM custom key store
             * Creating an AWS CloudHSM key store
             * Viewing an AWS CloudHSM key store
             * Editing AWS CloudHSM key store settings
             * Connecting and disconnecting an AWS CloudHSM key store
             * Deleting an AWS CloudHSM key store
         
          * Managing KMS keys in a CloudHSM key store
             * Creating KMS keys in an AWS CloudHSM key store
             * Viewing KMS keys in an AWS CloudHSM key store
             * Using KMS keys in an AWS CloudHSM key store
             * Finding KMS keys and key material
             * Scheduling deletion of KMS keys from an AWS CloudHSM key store
         
          * Troubleshooting a custom key store
      
       * External key stores
          * Controlling access to your external key store
          * Planning an external key store
             * Configuring VPC endpoint service connectivity
         
          * Managing an external key store
             * Creating an external key store
             * Editing external key store properties
             * Viewing an external key store
             * Monitoring an external key store
             * Connecting and disconnecting an external key store
             * Deleting an external key store
         
          * Managing KMS keys in an external key store
             * Creating KMS keys in an external key store
             * Viewing KMS keys in an external key store
             * Using KMS keys in an external key store
             * Scheduling deletion of KMS keys from an external key store
         
          * Troubleshooting external key stores
   
    * Key type reference

 * Security
    * Data protection
    * Identity and access management
    * Logging and monitoring
    * Compliance validation
    * Resilience
    * Infrastructure security
    * Security best practices

 * Quotas
    * Resource quotas
    * Request quotas
    * Throttling requests

 * How AWS services use AWS KMS
    * AWS CloudTrail
    * Amazon DynamoDB
    * Amazon Elastic Block Store (Amazon EBS)
    * Amazon Elastic Transcoder
    * Amazon EMR
    * AWS Nitro Enclaves
    * Amazon Redshift
    * Amazon Relational Database Service (Amazon RDS)
    * AWS Secrets Manager
    * Amazon Simple Email Service (Amazon SES)
    * Amazon Simple Storage Service (Amazon S3)
    * AWS Systems Manager Parameter Store
    * Amazon WorkMail
    * WorkSpaces

 * Programming the AWS KMS API
    * Creating a client
    * Working with keys
    * Working with aliases
    * Encrypting and decrypting data keys
    * Working with key policies
    * Working with grants

 * References
 * Document history

IAM policy examples - AWS Key Management Service
AWSDocumentationAWS KMSDeveloper Guide
Allow a user to view KMS keys in the AWS KMS consoleAllow a user to create KMS
keysAllow a user to encrypt and decrypt with any KMS key in a specific AWS
accountAllow a user to encrypt and decrypt with any KMS key in a specific AWS
account and RegionAllow a user to encrypt and decrypt with specific KMS
keysPrevent a user from disabling or deleting any KMS keys


IAM POLICY EXAMPLES

PDFRSS

In this section, you can find example IAM policies that allow permissions for
various AWS KMS actions.

Important

Some of the permissions in the following policies are allowed only when the KMS
key's key policy also allows them. For more information, see Permissions
reference.

For help writing and formatting a JSON policy document, see the IAM JSON Policy
Reference in the IAM User Guide.

Examples

 * Allow a user to view KMS keys in the AWS KMS console
 * Allow a user to create KMS keys
 * Allow a user to encrypt and decrypt with any KMS key in a specific AWS
   account
 * Allow a user to encrypt and decrypt with any KMS key in a specific AWS
   account and Region
 * Allow a user to encrypt and decrypt with specific KMS keys
 * Prevent a user from disabling or deleting any KMS keys


ALLOW A USER TO VIEW KMS KEYS IN THE AWS KMS CONSOLE

The following IAM policy allows users read-only access to the AWS KMS console.
Users with these permissions can view all KMS keys in their AWS account, but
they cannot create or change any KMS keys.

To view KMS keys on the AWS managed keys and Customer managed keys pages,
principals require kms:ListKeys, kms:ListAliases, and tag:GetResources
permissions, even if the keys do not have tags or aliases. The remaining
permissions, particularly kms:DescribeKey, are required to view optional KMS key
table columns and data on the KMS key detail pages. The iam:ListUsers and
iam:ListRoles permissions are required to display the key policy in default view
without error. To view data on the Custom key stores page and details about KMS
keys in custom key stores, principals also need kms:DescribeCustomKeyStores
permission.

If you limit a user's console access to particular KMS keys, the console
displays an error for each KMS key that is not visible.

This policy includes of two policy statements. The Resource element in the first
policy statement allows the specified permissions on all KMS keys in all Regions
of the example AWS account. Console viewers don't need additional access because
the AWS KMS console displays only KMS keys in the principal's account. This is
true even if they have permission to view KMS keys in other AWS accounts. The
remaining AWS KMS and IAM permissions require a "Resource": "*" element because
they don't apply to any particular KMS key.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ReadOnlyAccessForAllKMSKeysInAccount",
      "Effect": "Allow",
      "Action": [
        "kms:GetPublicKey",        
        "kms:GetKeyRotationStatus",
        "kms:GetKeyPolicy",
        "kms:DescribeKey",
        "kms:ListKeyPolicies",
        "kms:ListResourceTags",
        "tag:GetResources"
      ],
      "Resource": "arn:aws:kms:*:111122223333:key/*"
    },
    {
      "Sid": "ReadOnlyAccessForOperationsWithNoKMSKey",
      "Effect": "Allow",
      "Action": [
        "kms:ListKeys",
        "kms:ListAliases",
        "iam:ListRoles",
        "iam:ListUsers"
      ],
      "Resource": "*"
    }
  ]
}


ALLOW A USER TO CREATE KMS KEYS

The following IAM policy allows a user to create all types of KMS keys. The
value of the Resource element is * because the CreateKey operation does not use
any particular AWS KMS resources (KMS keys or aliases).

To restrict the user to particular types of KMS keys, use the kms:KeySpec,
kms:KeyUsage, and kms:KeyOrigin condition keys.

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "kms:CreateKey",
    "Resource": "*"
  }
}

Principals who create keys might need some related permissions.

 * kms:PutKeyPolicy — Principals who have kms:CreateKey permission can set the
   initial key policy for the KMS key. However, the CreateKey caller must have
   kms:PutKeyPolicy permission, which lets them change the KMS key policy, or
   they must specify the BypassPolicyLockoutSafetyCheck parameter of CreateKey,
   which is not recommended. The CreateKey caller can get kms:PutKeyPolicy
   permission for the KMS key from an IAM policy or they can include this
   permission in the key policy of the KMS key that they're creating.

 * kms:TagResource — To add tags to the KMS key during the CreateKey operation,
   the CreateKey caller must have kms:TagResource permission in an IAM policy.
   Including this permission in the key policy of the new KMS key isn't
   sufficient. However, if the CreateKey caller includes kms:TagResource in the
   initial key policy, they can add tags in a separate call after the KMS key is
   created.

 * kms:CreateAlias — Principals who create a KMS key in the AWS KMS console must
   have kms:CreateAlias permission on the KMS key and on the alias. (The console
   makes two calls; one to CreateKey and one to CreateAlias). You must provide
   the alias permission in an IAM policy. You can provide the KMS key permission
   in a key policy or IAM policy. For details, see Controlling access to
   aliases.

In addition to kms:CreateKey, the following IAM policy provides kms:TagResource
permission on all KMS keys in the AWS account and kms:CreateAlias permission on
all aliases that the account. It also includes some useful read-only permissions
that can be provided only in an IAM policy.

This IAM policy does not include kms:PutKeyPolicy permission or any other
permissions that can be set in a key policy. It's a best practice to set these
permissions in the key policy where they apply exclusively to one KMS key.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "IAMPermissionsForParticularKMSKeys",
      "Effect": "Allow",
      "Action": "kms:TagResource",
      "Resource": "arn:aws:kms:*:111122223333:key/*"
    },
    {
      "Sid": "IAMPermissionsForParticularAliases",
      "Effect": "Allow",
      "Action": "kms:CreateAlias",
      "Resource": "arn:aws:kms:*:111122223333:alias/*"
    },
    {
      "Sid": "IAMPermissionsForAllKMSKeys",
      "Effect": "Allow",
      "Action": [
        "kms:CreateKey",
        "kms:ListKeys",
        "kms:ListAliases"
      ],
      "Resource": "*"
    }
  ]
}


ALLOW A USER TO ENCRYPT AND DECRYPT WITH ANY KMS KEY IN A SPECIFIC AWS ACCOUNT

The following IAM policy allows a user to encrypt and decrypt data with any KMS
key in AWS account 111122223333.

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": [
      "kms:Encrypt",
      "kms:Decrypt"
    ],
    "Resource": "arn:aws:kms:*:111122223333:key/*"
  }
}


ALLOW A USER TO ENCRYPT AND DECRYPT WITH ANY KMS KEY IN A SPECIFIC AWS ACCOUNT
AND REGION

The following IAM policy allows a user to encrypt and decrypt data with any KMS
key in AWS account 111122223333 in the US West (Oregon) Region.

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": [
      "kms:Encrypt",
      "kms:Decrypt"
    ],
    "Resource": [
      "arn:aws:kms:us-west-2:111122223333:key/*"
    ]
  }
}


ALLOW A USER TO ENCRYPT AND DECRYPT WITH SPECIFIC KMS KEYS

The following IAM policy allows a user to encrypt and decrypt data with the two
KMS keys specified in the Resource element. When specifying a KMS key in an IAM
policy statement, you must use the key ARN of the KMS key.

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": [
      "kms:Encrypt",
      "kms:Decrypt"
    ],
    "Resource": [
      "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
      "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321"
    ]
  }
}


PREVENT A USER FROM DISABLING OR DELETING ANY KMS KEYS

The following IAM policy prevents a user from disabling or deleting any KMS
keys, even when another IAM policy or a key policy allows these permissions. A
policy that explicitly denies permissions overrides all other policies, even
those that explicitly allow the same permissions. For more information, see
Troubleshooting key access.

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Deny",
    "Action": [
      "kms:DisableKey",
      "kms:ScheduleKeyDeletion"
    ],
    "Resource": "*"
  }
}

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please
refer to your browser's Help pages for instructions.

Document Conventions
AWS managed policy for power users
Grants
Did this page help you? - Yes

Thanks for letting us know we're doing a good job!

If you've got a moment, please tell us what we did right so we can do more of
it.



Did this page help you? - No

Thanks for letting us know this page needs work. We're sorry we let you down.

If you've got a moment, please tell us how we can make the documentation better.




Did this page help you?
Yes
No
Provide feedback
Edit this page on GitHub 
Next topic:Grants
Previous topic:AWS managed policy for power users
Need help?
 * Try AWS re:Post 
 * Connect with an AWS IQ expert 

PrivacySite termsCookie preferences
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.


ON THIS PAGE

--------------------------------------------------------------------------------

 * Allow a user to view KMS keys in the AWS KMS console
 * Allow a user to create KMS keys
 * Allow a user to encrypt and decrypt with any KMS key in a specific AWS
   account
 * Allow a user to encrypt and decrypt with any KMS key in a specific AWS
   account and Region
 * Allow a user to encrypt and decrypt with specific KMS keys
 * Prevent a user from disabling or deleting any KMS keys





DID THIS PAGE HELP YOU? - NO



Thanks for letting us know this page needs work. We're sorry we let you down.

If you've got a moment, please tell us how we can make the documentation better.



Feedback