KMS Key Policies

KMS supports two resource-based access control mechanisms: key policies and grants.
With grants, you can programmatically delegate the use of KMS CMKs to other AWS principals.
You can use them to allow access, but not deny it.
Because grants can be very specific, and are easy to create and revoke, they are often used to provide temporary permissions or more granular permissions.
You can also use key policies to allow other principals to access a CMK, but key policies work best for relatively static permission assignments.
Also, key policies use the standard permissions model for AWS policies in which users either have or do not have permission to perform an action with a resource.
For example, users with the kms:PutKeyPolicy permission for a CMK can completely replace the key policy for a CMK with a different key policy of their choice.
To enable more granular permissions management, use grants.
You can specify conditions in the key policies and IAM policies that control access to KMS resources. The policy statement is effective only when the conditions are true.
For example, you might want a policy statement to take effect only after a specific date. Or, you might want a policy statement to control access only when a specific value appears in an API request.

`generate-data-key`

Generates a unique symmetric data key for client-side encryption.
Returns:
- Plaintext copy of the data key.
- A copy of the data key that is encrypted under a CMK that you specify.

Generates a unique asymmetric data key pair.
Returns:
- Plaintext public key.
- Plaintext private key.
- A copy of the private key that is encrypted under the symmetric CMK you specify.

Generates a unique asymmetric data key pair.
Returns:
- Plaintext public key.
- A copy of the private key that is encrypted under the symmetric CMK you specify.
Unlike GenerateDataKeyPair, this operation does not return a plaintext private key.

Last updated 3 years ago