KMS Condition Keys
KMS provides an additional set of predefined condition keys that you can use in key policies and IAM policies.
These condition keys are specific to KMS.
For example, you can use the
kms:EncryptionContextcondition key to require a particular encryption context when controlling access to a KMS CMK.
kms:ViaService
kms:ViaServiceIt limits use of an KMS CMK to requests from specified AWS services.
You can specify one or more services in each
kms:ViaServicecondition key.All AWS managed CMKs use a
kms:ViaServicecondition key in their key policy document.This condition allows the CMK to be used only for requests that come from the service that created the CMK.
For example, the following statement from a key policy uses the
kms:ViaServicecondition key to allow a customer managed CMK to be used for the encryption and decryption only when the request comes from EC2 or RDS in the US West (Oregon) region on behalf ofExampleUser:
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:user/ExampleUser"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ViaService": [
"ec2.us-west-2.amazonaws.com",
"rds.us-west-2.amazonaws.com"
]
}
}
}You can also use a
kms:ViaServicecondition key to deny permission to use a CMK when the request comes from particular services.For example, the following policy statement from a key policy uses a
kms:ViaServicecondition key to prevent a customer managed CMK from being used forEncryptoperations when the request comes from Lambda on behalf ofExampleUser:
kms:GranteePrincipal
kms:GranteePrincipalYou can use this condition key to control access to the
CreateGrantoperation based on the value of theGranteePrincipalparameter in the request.The following example policy statement uses the
kms:GranteePrincipalcondition key to allow a user to create grants for a CMK only when the grantee principal in the grant is theLimitedAdminRole.
Last updated
Was this helpful?