Authentication and access control

This page was generated from content adapted from the AWS Developer Guide

IAM policies

Note To use an IAM policy to control access to a KMS key, the key policy for the KMS key must give the account permission to use IAM policies. Specifically, the key policy must include the policy statement that enables IAM policies. This section explains how to use IAM policies to control access to AWS KMS operations. For more general information about IAM, see the IAM User Guide.

Note AWS KMS supports VPC endpoint policies beginning in July 2020. VPC endpoints for AWS KMS that were created before that date have the default VPC endpoint policy, but you can change it at any time.
Note Use caution when creating key policies and IAM policies based on your VPC endpoint. If a policy statement requires that requests come from a particular VPC or VPC endpoint, requests from integrated AWS services that use an AWS KMS resource on your behalf might fail. For help, see Using VPC endpoint conditions in policies with AWS KMS permissions. Also, the aws:sourceIP condition key is not effective when the request comes from an Amazon VPC endpoint. To restrict requests to a VPC endpoint, use the aws:sourceVpce or aws:sourceVpc condition keys. For more information, see Identity and access management for VPC endpoints and VPC endpoint services in the AWS PrivateLink Guide.

Note Condition key values must adhere to the character and encoding rules for AWS KMS key policies and IAM policies. For details about key policy document rules, see Key policy format. For details about IAM policy document rules, see IAM name requirements in the IAM User Guide..

Note The examples in this topic show how to use a key policy and IAM policy together to provide and limit access to a KMS key. These generic examples are not intended to represent the permissions that any particular AWS service requires on a KMS key. For information about the permissions that an AWS service requires, see the encryption topic in the service documentation.
Note The key policy for the KMS key must give the external account (or users and roles in the external account) permission to use the KMS key.
Note Do not set the Principal to an asterisk (*) in any key policy statement that allows permissions unless you use conditions to limit the key policy. An asterisk gives every identity in every AWS account permission to use the KMS key, unless another policy statement explicitly denies it. Users in other AWS accounts just need corresponding IAM permissions in their own accounts to use the KMS key.

Note You might have to scroll horizontally or vertically to see all of the data in the table.

Last updated 11 months ago