KMS Grants

• A grant is a policy instrument that allows AWS principals to use KMS CMKs in cryptographic operations.

• Grants:

  • For temporary permissions because you can create one, use its permissions, and delete it without changing your key policies or IAM policies.

• Key policies:

  • Establish long-term, static permissions to the CMK.

• IAM policies:

  • Control access to operations that don't involve a particular CMK, such as CreateKey, and to describe permissions that apply to multiple CMKs or include permissions for the resources of multiple AWS services.

• Users with permission to create grants for a CMK (kms:CreateGrant) can use a grant to allow users and roles, including AWS services, to use the CMK. The principals can be identities in your own AWS account or identities in a different account or organization.

• Grant:

  • A policy instrument that allows AWS principals to use KMS CMKs in cryptographic operations.

• Grant token:

  • A unique, non-secret, variable-length, base64-encoded string that represents a grant.

  • You can use the grant token to identify the grant in any grant operation.

• Grantee principal:

  • The identity that gets the permissions specified in the grant.

  • A grant must have at least one grantee principal.

• Eventual consistency (for grants):

  • When you create, retire, or revoke a grant, there might be a brief delay, usually less than five minutes, before the change is available throughout KMS.