AWS Key Management Service (KMS) key policies are resource-based policies that control access to customer master keys (CMKs) in AWS. They serve as the primary method for defining who can use and manage encryption keys within your AWS environment.
Key policies are JSON documents attached to each CM…AWS Key Management Service (KMS) key policies are resource-based policies that control access to customer master keys (CMKs) in AWS. They serve as the primary method for defining who can use and manage encryption keys within your AWS environment.
Key policies are JSON documents attached to each CMK and determine which principals (users, roles, or AWS accounts) can perform specific actions on the key. Unlike IAM policies alone, key policies are mandatory for CMKs - every CMK must have exactly one key policy.
The default key policy grants the AWS account root user full access to the CMK, which enables IAM policies to also control access. This combination of key policies and IAM policies provides flexible access management. You can choose to rely solely on the key policy or use it in conjunction with IAM policies and grants.
Key policy statements include several important elements: Effect (Allow or Deny), Principal (who receives permissions), Action (KMS operations like kms:Encrypt, kms:Decrypt, kms:GenerateDataKey), Resource (always * for key policies since it applies to the CMK itself), and optional Conditions for fine-grained control.
Common use cases include granting cross-account access, allowing specific IAM users or roles to encrypt and decrypt data, separating key administrators from key users, and enabling AWS services to use CMKs on your behalf.
For the AWS Developer Associate exam, understand that key policies work alongside IAM policies - both must allow the action for it to succeed. Also remember that grants provide temporary, programmatic access to CMKs and are useful when you need to delegate access to other principals.
Best practices include following least privilege principles, regularly auditing key policies, using conditions to restrict access based on context, and understanding the difference between key administrators (who manage keys) and key users (who use keys for cryptographic operations).
KMS Key Policies are the primary way to control access to AWS Key Management Service (KMS) keys. Unlike most AWS resources that rely solely on IAM policies, KMS keys require a key policy to function. Understanding key policies is essential for securing your encryption keys and ensuring proper access control in AWS environments.
What Are KMS Key Policies?
A KMS key policy is a resource-based policy attached to a KMS key that defines who can use and manage the key. Every KMS key must have exactly one key policy. Key policies are JSON documents that specify:
• Principals - Who can access the key (AWS accounts, IAM users, roles) • Actions - What operations they can perform (encrypt, decrypt, create grants) • Conditions - When the policy statements apply
How KMS Key Policies Work
Default Key Policy: When you create a KMS key through the console, AWS creates a default key policy that: • Gives the AWS account (root user) full access to the key • Allows IAM policies to grant access to the key • Enables key administrators and key users based on your selections
Key Policy vs IAM Policy: • Key policies are mandatory - every KMS key must have one • IAM policies alone cannot grant access to KMS keys unless the key policy allows it • The key policy must explicitly allow the account to use IAM policies for access control
The Root Account Statement: A critical element in key policies is the statement that allows the root account access:
This statement is crucial because it enables IAM policies to be used for granting KMS access.
Key Policy Components
• Key Administrators - Can manage the key (enable, disable, delete, modify policy) but cannot use it for cryptographic operations • Key Users - Can use the key for encrypt/decrypt operations • Grants - Allow delegating subset of permissions to other principals temporarily
Cross-Account Access
To allow cross-account access to a KMS key: 1. The key policy must allow the external account 2. The external account must have IAM policies allowing the user/role to use the key
Exam Tips: Answering Questions on KMS Key Policies
Key Points to Remember:
✓ Key policies are required - You cannot delete the key policy from a KMS key
✓ IAM policies need key policy permission - If a question asks why an IAM policy for KMS isn't working, check if the key policy allows IAM policy usage
✓ Root account access is critical - Removing root account access from a key policy can make the key unmanageable; AWS Support intervention may be required
✓ Cross-account = key policy + IAM policy - Both are needed for cross-account access scenarios
✓ Grants vs Policies - Grants are used for temporary, programmatic delegation of permissions; policies are for long-term access
✓ Key policy actions - Know the difference between administrative actions (kms:Create*, kms:Delete*, kms:Put*) and usage actions (kms:Encrypt, kms:Decrypt, kms:GenerateDataKey)
✓ Condition keys - Be familiar with kms:ViaService, kms:CallerAccount, and kms:EncryptionContext for restricting key usage
Common Exam Scenarios:
• User has IAM permissions but cannot decrypt → Check key policy • Need to share KMS key across accounts → Modify key policy AND create IAM policy in target account • Application needs temporary access to KMS key → Use Grants • Restrict key usage to specific AWS service → Use kms:ViaService condition