KMS Condition Keys

KMS provides an additional set of predefined condition keys that you can use in key policies and IAM policies.
These condition keys are specific to KMS.
For example, you can use the kms:EncryptionContext condition key to require a particular encryption context when controlling access to a KMS CMK.

`kms:ViaService`

It limits use of an KMS CMK to requests from specified AWS services.
You can specify one or more services in each kms:ViaService condition key.
All AWS managed CMKs use a kms:ViaService condition key in their key policy document.
- This condition allows the CMK to be used only for requests that come from the service that created the CMK.
For example, the following statement from a key policy uses the kms:ViaService condition key to allow a customer managed CMK to be used for the encryption and decryption only when the request comes from EC2 or RDS in the US West (Oregon) region on behalf of ExampleUser:

{
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::111122223333:user/ExampleUser"
  },
  "Action": [
    "kms:Encrypt",
    "kms:Decrypt"
  ],
  "Resource": "*",
  "Condition": {
    "StringEquals": {
      "kms:ViaService": [
        "ec2.us-west-2.amazonaws.com",
        "rds.us-west-2.amazonaws.com"
      ]
    }
  }
}

You can also use a kms:ViaService condition key to deny permission to use a CMK when the request comes from particular services.
For example, the following policy statement from a key policy uses a kms:ViaService condition key to prevent a customer managed CMK from being used for Encrypt operations when the request comes from Lambda on behalf of ExampleUser:

{
  "Effect": "Deny",
  "Principal": {
    "AWS": "arn:aws:iam::111122223333:user/ExampleUser"
  },
  "Action": [
    "kms:Encrypt"    
  ],
  "Resource": "*",
  "Condition": {
    "StringEquals": {
      "kms:ViaService": [
          "lambda.us-west-2.amazonaws.com"
      ]
    }
  }
}

`kms:GranteePrincipal`

You can use this condition key to control access to the CreateGrant operation based on the value of the GranteePrincipal parameter in the request.
The following example policy statement uses the kms:GranteePrincipal condition key to allow a user to create grants for a CMK only when the grantee principal in the grant is the LimitedAdminRole.

{
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::111122223333:user/ExampleUser"
  },
  "Action": "kms:CreateGrant",
  "Resource": "*",
  "Condition": {
    "StringEquals": {
      "kms:GranteePrincipal": "arn:aws:iam::111122223333:role/LimitedAdminRole"
    }
  }
}

PreviousImporting key material in KMS NextMigrating Encrypted KMS Data Across Regions

Last updated 5 years ago

hashtagkms:ViaService

hashtagkms:GranteePrincipal

`kms:ViaService`

`kms:GranteePrincipal`