KMS Condition Keys

  • KMS provides an additional set of predefined condition keys that you can use in key policies and IAM policies.

  • These condition keys are specific to KMS.

  • For example, you can use the kms:EncryptionContext condition key to require a particular encryption context when controlling access to a KMS CMK.

kms:ViaService

  • It limits use of an KMS CMK to requests from specified AWS services.

  • You can specify one or more services in each kms:ViaService condition key.

  • All AWS managed CMKs use a kms:ViaService condition key in their key policy document.

    • This condition allows the CMK to be used only for requests that come from the service that created the CMK.

  • For example, the following statement from a key policy uses the kms:ViaService condition key to allow a customer managed CMK to be used for the encryption and decryption only when the request comes from EC2 or RDS in the US West (Oregon) region on behalf of ExampleUser:

{
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::111122223333:user/ExampleUser"
  },
  "Action": [
    "kms:Encrypt",
    "kms:Decrypt"
  ],
  "Resource": "*",
  "Condition": {
    "StringEquals": {
      "kms:ViaService": [
        "ec2.us-west-2.amazonaws.com",
        "rds.us-west-2.amazonaws.com"
      ]
    }
  }
}

  • You can also use a kms:ViaService condition key to deny permission to use a CMK when the request comes from particular services.

  • For example, the following policy statement from a key policy uses a kms:ViaService condition key to prevent a customer managed CMK from being used for Encrypt operations when the request comes from Lambda on behalf of ExampleUser:

{
  "Effect": "Deny",
  "Principal": {
    "AWS": "arn:aws:iam::111122223333:user/ExampleUser"
  },
  "Action": [
    "kms:Encrypt"    
  ],
  "Resource": "*",
  "Condition": {
    "StringEquals": {
      "kms:ViaService": [
          "lambda.us-west-2.amazonaws.com"
      ]
    }
  }
}

kms:GranteePrincipal

  • You can use this condition key to control access to the CreateGrant operation based on the value of the GranteePrincipal parameter in the request.

  • The following example policy statement uses the kms:GranteePrincipal condition key to allow a user to create grants for a CMK only when the grantee principal in the grant is the LimitedAdminRole.

{
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::111122223333:user/ExampleUser"
  },
  "Action": "kms:CreateGrant",
  "Resource": "*",
  "Condition": {
    "StringEquals": {
      "kms:GranteePrincipal": "arn:aws:iam::111122223333:role/LimitedAdminRole"
    }
  }
}
PreviousImporting key material in KMSNextMigrating Encrypted KMS Data Across Regions

Last updated

Was this helpful?