docs.aws.amazon.com
Open in
urlscan Pro
54.239.24.117
Public Scan
Submitted URL: https://docs.aws.amazon.com/kms/latest/developerguide/customer-managed-policies.html#iam-policy-example-encrypt-decrypt-one-...
Effective URL: https://docs.aws.amazon.com/kms/latest/developerguide/customer-managed-policies.html
Submission: On September 02 via api from US
Effective URL: https://docs.aws.amazon.com/kms/latest/developerguide/customer-managed-policies.html
Submission: On September 02 via api from US
Form analysis 0 forms found in the DOM
Text Content
SELECT YOUR COOKIE PREFERENCES
We use cookies and similar tools to enhance your experience, provide our
services, deliver relevant advertising, and make improvements. Approved third
parties also use these tools to help us deliver advertising and provide certain
site features.
CustomizeAccept all
CUSTOMIZE COOKIE PREFERENCES
We use cookies and similar tools (collectively, "cookies") for the following
purposes.
ESSENTIAL
Essential cookies are necessary to provide our site and services and cannot be
deactivated. They are usually set in response to your actions on the site, such
as setting your privacy preferences, signing in, or filling in forms.
PERFORMANCE
Performance cookies provide anonymous statistics about how customers navigate
our site so we can improve site experience and performance. Approved third
parties may perform analytics on our behalf, but they cannot use the data for
their own purposes.
Allow performance category
Allowed
FUNCTIONAL
Functional cookies help us provide useful site features, remember your
preferences, and display relevant content. Approved third parties may set these
cookies to provide certain site features. If you do not allow these cookies,
then some or all of these services may not function properly.
Allow functional category
Allowed
ADVERTISING
Advertising cookies may be set through our site by us or our advertising
partners and help us deliver relevant marketing content. If you do not allow
these cookies, you will experience less relevant advertising.
Allow advertising category
Allowed
Blocking some types of cookies may impact your experience of our sites. You may
review and change your choices at any time by clicking Cookie preferences in the
footer of this site. We and selected third-parties use cookies or similar
technologies as specified in the AWS Cookie Notice
.
CancelSave preferences
English
Sign In to the Console
1. AWS
2. ...
3. Documentation
4. AWS KMS
5. Developer Guide
Feedback
Preferences
AWS Key Management Service
Developer Guide
* What is AWS Key Management Service?
* Concepts
* Getting started
* Creating keys
* Viewing keys
* Viewing KMS keys in the console
* Viewing KMS keys with the API
* Finding the key ID and ARN
* Finding the alias name and alias ARN
* Identifying symmetric and asymmetric KMS keys
* Editing keys
* Tagging keys
* About tags in AWS KMS
* Managing KMS key tags in the console
* Managing KMS key tags with API operations
* Controlling access to tags
* Using tags to control access to KMS keys
* Enabling and disabling keys
* Downloading public keys
* Using aliases
* About aliases
* Managing aliases
* Using aliases in your applications
* Controlling access to aliases
* Using aliases to control access to KMS keys
* Finding aliases in AWS CloudTrail logs
* Authentication and access control
* Overview of managing access
* Using key policies
* Viewing a key policy
* Changing a key policy
* Using IAM policies
* Overview of IAM policies
* Best practices for IAM policies
* Specifying KMS keys in IAM policy statements
* Permissions required to use the AWS KMS console
* AWS managed policy for power users
* Customer managed policy examples
* Using ABAC for AWS KMS
* Allowing cross-account access to a KMS key
* AWS KMS API permissions reference
* Using policy conditions
* Using grants
* Creating grants
* Managing grants
* Using service-linked roles
* Determining access
* Examining the key policy
* Examining IAM policies
* Examining grants
* Troubleshooting key access
* Security
* Data protection
* Identity and access management
* Logging and monitoring
* Compliance validation
* Infrastructure security
* Security best practices
* Using symmetric and asymmetric keys
* About symmetric and asymmetric KMS keys
* Choosing your KMS key configuration
* Viewing the cryptographic configuration of KMS keys
* Comparing symmetric and asymmetric KMS keys
* Using multi-Region keys
* Controlling access
* Creating multi-Region keys
* Creating primary keys
* Creating replica keys
* Viewing multi-Region keys
* Managing multi-Region keys
* Importing key material into multi-Region keys
* Deleting multi-Region keys
* Rotating keys
* Key state: Effect on your KMS key
* Monitoring keys
* Logging with AWS CloudTrail
* Examples of AWS KMS log entries
* CancelKeyDeletion
* CreateAlias
* CreateGrant
* CreateKey
* Decrypt
* Decrypt (from an enclave)
* DeleteAlias
* DeleteExpiredKeyMaterial
* DeleteKey
* DescribeKey
* DisableKey
* EnableKey
* EnableKeyRotation
* Encrypt
* GenerateDataKey
* GenerateDataKey (from an enclave)
* GenerateDataKeyPair
* GenerateDataKeyPairWithoutPlaintext
* GenerateDataKeyWithoutPlaintext
* GenerateRandom
* GenerateRandom (from an enclave)
* GetKeyPolicy
* GetParametersForImport
* ImportKeyMaterial
* ListAliases
* ListGrants
* ReEncrypt
* ReplicateKey
* RotateKey
* ScheduleKeyDeletion
* SynchronizeMultiRegionKey
* TagResource
* UntagResource
* UpdateAlias
* UpdatePrimaryRegion
* Amazon EC2 example one
* Amazon EC2 example two
* Monitoring with CloudWatch
* Programming the AWS KMS API
* Creating a client
* Working with keys
* Working with aliases
* Encrypting and decrypting data keys
* Working with key policies
* Working with grants
* Using CloudFormation to create AWS KMS resources
* Deleting keys
* Creating an Amazon CloudWatch alarm
* Determining past usage of a KMS key
* Importing key material
* Step 1: Create a KMS key with no key material
* Step 2: Download the public key and import token
* Step 3: Encrypt the key material
* Step 4: Import the key material
* Deleting key material
* Using a custom key store
* What is a custom key store?
* Controlling access to your custom key store
* Creating a custom key store
* Managing a custom key store
* Viewing a custom key store
* Editing custom key store settings
* Connecting and disconnecting a custom key store
* Deleting a custom key store
* Managing KMS keys in a custom key store
* Creating KMS keys in a custom key store
* Viewing KMS keys in a custom key store
* Using KMS keys in a custom key store
* Finding KMS keys and key material
* Scheduling deletion of KMS keys from a custom key store
* Troubleshooting a custom key store
* Using a VPC endpoint
* Using hybrid post-quantum TLS
* How AWS services use AWS KMS
* AWS CloudTrail
* Amazon DynamoDB
* Amazon Elastic Block Store (Amazon EBS)
* Amazon Elastic Transcoder
* Amazon EMR
* AWS Nitro Enclaves
* Amazon Redshift
* Amazon Relational Database Service (Amazon RDS)
* AWS Secrets Manager
* Amazon Simple Email Service (Amazon SES)
* Amazon Simple Storage Service (Amazon S3)
* AWS Systems Manager Parameter Store
* Amazon WorkMail
* WorkSpaces
* Quotas
* Resource quotas
* Request quotas
* Throttling AWS KMS requests
* Request an AWS KMS Quota Increase
* Document history
Customer managed policy examples - AWS Key Management Service
AWSDocumentationAWS KMSDeveloper Guide
Allow a user to view KMS keys in the AWS KMS consoleAllow a user to create KMS
keysAllow a user to encrypt and decrypt with any KMS key in a specific AWS
accountAllow a user to encrypt and decrypt with any KMS key in a specific AWS
account and RegionAllow a user to encrypt and decrypt with specific KMS
keysPrevent a user from disabling or deleting any KMS keys
CUSTOMER MANAGED POLICY EXAMPLES
PDF
Kindle
RSS
In this section, you can find example IAM policies that allow permissions for
various AWS KMS actions.
Important
Some of the permissions in the following policies are allowed only when the KMS
key's key policy also allows them. For more information, see AWS KMS API
permissions reference.
For help writing and formatting a JSON policy document, see the IAM JSON Policy
Reference in the IAM User Guide.
Examples
* Allow a user to view KMS keys in the AWS KMS console
* Allow a user to create KMS keys
* Allow a user to encrypt and decrypt with any KMS key in a specific AWS
account
* Allow a user to encrypt and decrypt with any KMS key in a specific AWS
account and Region
* Allow a user to encrypt and decrypt with specific KMS keys
* Prevent a user from disabling or deleting any KMS keys
ALLOW A USER TO VIEW KMS KEYS IN THE AWS KMS CONSOLE
The following IAM policy allows users read-only access to the AWS KMS console.
Users with these permissions can view all KMS keys in their AWS account, but
they cannot create or change any KMS keys.
To view KMS keys on the AWS managed keys and Customer managed keys pages,
principals require kms:ListKeys and kms:ListAliases permissions. The remaining
permissions, particularly kms:DescribeKey, are required to view optional KMS key
table columns and data on the KMS key detail pages. The iam:ListUsers and
iam:ListRoles permissions are required to display the key policy in default view
without error. To view data on the Custom key stores page and details about KMS
keys in custom key stores, principals also need kms:DescribeCustomKeyStores
permission.
If you limit a user's console access to particular KMS keys, the console
displays an error for each KMS key that is not visible.
This policy includes of two policy statements. The Resource element in the first
policy statement allows the specified permissions on all KMS keys in all Regions
of the example AWS account. Console viewers don't need additional access because
the AWS KMS console displays only KMS keys in the principal's account. This is
true even if they have permission to view KMS keys in other AWS accounts. The
remaining AWS KMS and IAM permissions require a "Resource": "*" element because
they don't apply to any particular KMS key.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ReadOnlyAccessForAllKMS keysInAccount",
"Effect": "Allow",
"Action": [
"kms:GetPublicKey",
"kms:GetKeyRotationStatus",
"kms:GetKeyPolicy",
"kms:DescribeKey",
"kms:ListKeyPolicies",
"kms:ListResourceTags"
],
"Resource": "arn:aws:kms:*:111122223333:key/*"
},
{
"Sid": "ReadOnlyAccessForOperationsWithNoKMS key",
"Effect": "Allow",
"Action": [
"kms:ListKeys",
"kms:ListAliases",
"iam:ListRoles",
"iam:ListUsers"
],
"Resource": "*"
}
]
}
ALLOW A USER TO CREATE KMS KEYS
The following IAM policy allows a user to create KMS keys. The value of the
Resource element is * because the CreateKey operation does not use any
particular AWS KMS resources (KMS keys or aliases).
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "kms:CreateKey",
"Resource": "*"
}
}
Principals who create keys might need some related permissions.
* kms:PutKeyPolicy — Principals who have kms:CreateKey permission can set the
initial key policy for the KMS key. However, the CreateKey caller must have
kms:PutKeyPolicy permission, which lets them change the KMS key policy, or
they must specify the BypassPolicyLockoutSafetyCheck parameter of CreateKey,
which is not recommended. The CreateKey caller can get kms:PutKeyPolicy
permission for the KMS key from an IAM policy or they can include this
permission in the key policy of the KMS key that they're creating.
* kms:TagResource — To add tags to the KMS key during the CreateKey operation,
the CreateKey caller must have kms:TagResource permission in an IAM policy.
Including this permission in the key policy of the new KMS key isn't
sufficient. However, if the CreateKey caller includes kms:TagResource in the
initial key policy, they can add tags in a separate call after the KMS key is
created.
* kms:CreateAlias — Principals who create a KMS key in the AWS KMS console must
have kms:CreateAlias permission on the KMS key and on the alias. (The console
makes two calls; one to CreateKey and one to CreateAlias). You must provide
the alias permission in an IAM policy. You can provide the KMS key permission
in a key policy or IAM policy. For details, see Controlling access to
aliases.
In addition to kms:CreateKey, the following IAM policy provides kms:TagResource
permission on all KMS keys in the AWS account and kms:CreateAlias permission on
all aliases that the account. It also includes some useful read-only permissions
that can be provided only in an IAM policy.
This IAM policy does not include kms:PutKeyPolicy permission or any other
permissions that can be set in a key policy. It's a best practice to set these
permissions in the key policy where they apply exclusively to one KMS key.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "IAMPermissionsForParticularKMS keys",
"Effect": "Allow",
"Action": "kms:TagResource",
"Resource": "arn:aws:kms:*:111122223333:key/*"
},
{
"Sid": "IAMPermissionsForParticularAliases",
"Effect": "Allow",
"Action": "kms:CreateAlias",
"Resource": "arn:aws:kms:*:111122223333:alias/*"
},
{
"Sid": "IAMPermissionsForAllKMS keys",
"Effect": "Allow",
"Action": [
"kms:CreateKey",
"kms:ListKeys",
"kms:ListAliases"
],
"Resource": "*"
}
]
}
ALLOW A USER TO ENCRYPT AND DECRYPT WITH ANY KMS KEY IN A SPECIFIC AWS ACCOUNT
The following IAM policy allows a user to encrypt and decrypt data with any KMS
key in AWS account 111122223333.
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt"
],
"Resource": "arn:aws:kms:*:111122223333:key/*"
}
}
ALLOW A USER TO ENCRYPT AND DECRYPT WITH ANY KMS KEY IN A SPECIFIC AWS ACCOUNT
AND REGION
The following IAM policy allows a user to encrypt and decrypt data with any KMS
key in AWS account 111122223333 in the US West (Oregon) Region.
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:us-west-2:111122223333:key/*"
]
}
}
ALLOW A USER TO ENCRYPT AND DECRYPT WITH SPECIFIC KMS KEYS
The following IAM policy allows a user to encrypt and decrypt data with the two
KMS keys specified in the Resource element. When specifying a KMS key in an IAM
policy statement, you must use the key ARN of the KMS key.
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321"
]
}
}
PREVENT A USER FROM DISABLING OR DELETING ANY KMS KEYS
The following IAM policy prevents a user from disabling or deleting any KMS
keys, even when another IAM policy or a key policy allows these permissions. A
policy that explicitly denies permissions overrides all other policies, even
those that explicitly allow the same permissions. For more information, see
Troubleshooting key access.
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Deny",
"Action": [
"kms:DisableKey",
"kms:ScheduleKeyDeletion"
],
"Resource": "*"
}
}
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thanks for your vote. To provide details, send feedback.
This page is helpful.
Thanks for your vote. To provide details, send feedback.
This page is not helpful.
Javascript is disabled or is unavailable in your browser.
To use the Amazon Web Services Documentation, Javascript must be enabled. Please
refer to your browser's Help pages for instructions.
Document Conventions
AWS managed policy for power users
Using ABAC for AWS KMS
Did this page help you?
Yes No
Did this page help you? - Yes
Thanks for letting us know we're doing a good job!
If you've got a moment, please tell us what we did right so we can do more of
it.
Feedback
Did this page help you? - No
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.
Feedback
Provide feedback
Edit this page on GitHub
Previous topic: AWS managed policy for power users
Next topic: Using ABAC for AWS KMS
Need help?
* Try the forums
* Connect with an AWS IQ expert
Privacy
Site terms
Cookie preferences
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Did this page help you? - Yes
Thanks for letting us know we're doing a good job!
If you've got a moment, please tell us what we did right so we can do more of
it.
Feedback
Did this page help you? - No
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.
Feedback
On this page
* Allow a user to view KMS keys in the AWS KMS console
* Allow a user to create KMS keys
* Allow a user to encrypt and decrypt with any KMS key in a specific AWS
account
* Allow a user to encrypt and decrypt with any KMS key in a specific AWS
account and Region
* Allow a user to encrypt and decrypt with specific KMS keys
* Prevent a user from disabling or deleting any KMS keys