kms:GrantIsForAWSResource

Allows or denies permission for the CreateGrant, ListGrants, or RevokeGrant operations only when an AWS services integrated with KMS calls the operation on the user's behalf.
This policy condition doesn't allow the user to call these grant operations directly.
The following example key policy statement uses the kms:GrantIsForAWSResource condition key.
- It allows AWS services that are integrated with KMS, such as EBS, to create grants on this CMK on behalf of the specified user.

{
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::111122223333:user/ExampleUser"
  },
  "Action": "kms:CreateGrant",
  "Resource": "*",
  "Condition": {
    "Bool": {
      "kms:GrantIsForAWSResource": true
    }
  }
}

PreviousKMS Key Policies NextMigrating data from encrypted EBS volume to an unencrypted EBS volume

Last updated 4 years ago