Example Key Policies for KMS Questions

Can Alice perform encryption and decryption with the CMK?

IAM Policy for Alice user

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "kms:Encrypt",
            "Resource": "arn:aws:kms:ap-northeast-1:871285060102:key/68e86af6-0db6-4fd1-8c17-fb8a20c766cd"
        }
    ]
}

CMK Policy

{
    "Version": "2012-10-17",
    "Id": "key-consolepolicy-3",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::037742531108:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow access for Key Administrators",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::037742531108:user/Alice"
            },
            "Action": [
                "kms:DescribeKey",
                "kms:Decrypt*"
            ],
            "Resource": "*"
        }
    ]
}

Answer: Alice can perform encryption AND decryption

Can Alice perform encryption and decryption?

IAM Policy for Alice User

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "kms:Encrypt",
            "Resource": "arn:aws:kms:ap-northeast-1:871285060102:key/68e86af6-0db6-4fd1-8c17-fb8a20c766cd"
        }
    ]
}

CMK Policy

{
    "Version": "2012-10-17",
    "Id": "key-consolepolicy-3",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::037742531108:kplabs"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow access for Key Administrators",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::037742531108:user/Alice"
            },
            "Action": [
                "kms:DescribeKey",
                "kms:Decrypt*"
            ],
            "Resource": "*"
        }
    ]
}

Answer: Alice cannot perform encryption but she can perform decryption

Can Alice perform encryption and decryption?

IAM Policy for Alice User

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Deny",
            "Action": [
                "kms:Encrypt"
            ],
            "Resource": "arn:aws:kms:ap-northeast-1:871285060102:key/68e86af6-0db6-4fd1-8c17-fb8a20c766cd"
        }
    ]
}

CMK Policy

{
    "Version": "2012-10-17",
    "Id": "key-consolepolicy-3",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::037742531108:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow access for Key Administrators",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::037742531108:user/Alice"
            },
            "Action": [
                "kms:Encrypt",
                "kms:DescribeKey",
                "kms:Decrypt*"
            ],
            "Resource": "*"
        }
    ]
}

Answer: Alice cannot perform encryption but she can perform decryption

PreviousRotating KMS CMKs NextKMS Grants

Last updated 4 years ago

Was this helpful?