Key Policies, Grants, and Conditions
Control exactly who can use a key and under what context.
Controlling Who Uses a Key
Creating a key is half the job; controlling who may use it is the other half. KMS uses several access mechanisms layered together.
The most important is the key policy, the resource-based policy attached directly to the key.
The Key Policy
Every KMS key has a key policy that is the primary authority over access.
- Unlike most services, a KMS key must have a key policy.
- If the key policy does not grant access, IAM policies alone cannot.
This makes the key policy the gatekeeper.
All lessons in this course
- What KMS Keys Are and Do
- Symmetric, Asymmetric, and Multi-Region Keys
- Key Policies, Grants, and Conditions
- Envelope Encryption and Data Keys