Managing access to KMS CMKs

  • The primary way to manage access to your AWS KMS CMKs is with policies.

  • Policies attached to an IAM identity are called identity-based policies (or IAM policies).

  • Policies attached to other kinds of resources are called resource-based policies.

  • In KMS, you must attach resource-based policies to your CMKs (called key policies) and all KMS CMKs have a key policy.

  • You can control access to your KMS CMKs in these ways:

    • Use the key policy - You must use the key policy to control access to a CMK. You can use the key policy alone to control access.

    • Use IAM policies in combination with the key policy - Controlling access this way enables you to manage all of the permissions for your IAM identities in IAM.

    • Use grants in combination with the key policy - Controlling access this way enables you to allow access to the CMK in the key policy, and to allow users to delegate their access to others.

  • IAM policies by themselves are not sufficient to allow access to a CMK, though you can use them in combination with a CMK's key policy.

PreviousDefault KMS Key PolicyNextKMS CMK Key Types

Last updated

Was this helpful?