kms:*

AWS AWS Key Management Service IAM Actions

55 IAM actions for kms:*

Actions

55 actions available. Filter by access level or search by name.

Filter:

Action	Access Level
`kms:CancelKeyDeletion`	Write
`kms:ConnectCustomKeyStore`	Read
`kms:CreateAlias`	Write
`kms:CreateCustomKeyStore`	Write
`kms:CreateGrant`	Permissions
`kms:CreateKey`	Write
`kms:Decrypt`	Read
`kms:DeleteAlias`	Write
`kms:DeleteCustomKeyStore`	Write
`kms:DeleteImportedKeyMaterial`	Write
`kms:DeriveSharedSecret`	Read
`kms:DescribeCustomKeyStores`	Read
`kms:DescribeKey`	Read
`kms:DisableKey`	Write
`kms:DisableKeyRotation`	Write
`kms:DisconnectCustomKeyStore`	Read
`kms:EnableKey`	Write
`kms:EnableKeyRotation`	Write
`kms:Encrypt`	Read
`kms:GenerateDataKey`	Read
`kms:GenerateDataKeyPair`	Read
`kms:GenerateDataKeyPairWithoutPlaintext`	Read
`kms:GenerateDataKeyWithoutPlaintext`	Read
`kms:GenerateMac`	Read
`kms:GenerateRandom`	Read
`kms:GetKeyPolicy`	Permissions
`kms:GetKeyRotationStatus`	Read
`kms:GetParametersForImport`	Read
`kms:GetPublicKey`	Read
`kms:ImportKeyMaterial`	Write
`kms:ListAliases`	List
`kms:ListGrants`	Permissions
`kms:ListKeyPolicies`	List
`kms:ListKeyRotations`	List
`kms:ListKeys`	List
`kms:ListResourceTags`	Tagging
`kms:ListRetirableGrants`	Permissions
`kms:PutKeyPolicy`	Permissions
`kms:ReEncryptFrom`	Read
`kms:ReEncryptTo`	Read
`kms:ReplicateKey`	Read
`kms:RetireGrant`	Permissions
`kms:RevokeGrant`	Permissions
`kms:RotateKeyOnDemand`	Write
`kms:ScheduleKeyDeletion`	Read
`kms:Sign`	Read
`kms:SynchronizeMultiRegionKey`	Read
`kms:TagResource`	Tagging
`kms:UntagResource`	Tagging
`kms:UpdateAlias`	Write
`kms:UpdateCustomKeyStore`	Write
`kms:UpdateKeyDescription`	Write
`kms:UpdatePrimaryRegion`	Write
`kms:Verify`	Read
`kms:VerifyMac`	Read

Resource Types

ARN patterns for resources in this service.

Resource	ARN Pattern
`${ResourceType}`	`arn:aws:kms:${Region}:${Account}:${ResourceType}/${Id}`

Condition Keys

Condition keys you can use in IAM policy conditions for this service.

aws:RequestTag/${TagKey}aws:ResourceTag/${TagKey}aws:TagKeyskms:BypassPolicyLockoutSafetyCheckkms:CallerAccountkms:CustomerMasterKeySpeckms:CustomerMasterKeyUsagekms:DataKeyPairSpeckms:EncryptionAlgorithmkms:EncryptionContext:${EncryptionContextKey}kms:EncryptionContextKeyskms:ExpirationModelkms:GrantConstraintTypekms:GrantIsForAWSResourcekms:GrantOperationskms:GranteePrincipalkms:KeyAgreementAlgorithmkms:KeyOriginkms:KeySpeckms:KeyUsagekms:MacAlgorithmkms:MessageTypekms:MultiRegionkms:MultiRegionKeyTypekms:PrimaryRegionkms:ReEncryptOnSameKeykms:RecipientAttestation:ImageSha384kms:RecipientAttestation:NitroTPMPCR0kms:RecipientAttestation:NitroTPMPCR1kms:RecipientAttestation:NitroTPMPCR10kms:RecipientAttestation:NitroTPMPCR11kms:RecipientAttestation:NitroTPMPCR12kms:RecipientAttestation:NitroTPMPCR13kms:RecipientAttestation:NitroTPMPCR14kms:RecipientAttestation:NitroTPMPCR15kms:RecipientAttestation:NitroTPMPCR16kms:RecipientAttestation:NitroTPMPCR17kms:RecipientAttestation:NitroTPMPCR18kms:RecipientAttestation:NitroTPMPCR19kms:RecipientAttestation:NitroTPMPCR2kms:RecipientAttestation:NitroTPMPCR20kms:RecipientAttestation:NitroTPMPCR21kms:RecipientAttestation:NitroTPMPCR22kms:RecipientAttestation:NitroTPMPCR23kms:RecipientAttestation:NitroTPMPCR3kms:RecipientAttestation:NitroTPMPCR4kms:RecipientAttestation:NitroTPMPCR5kms:RecipientAttestation:NitroTPMPCR6kms:RecipientAttestation:NitroTPMPCR7kms:RecipientAttestation:NitroTPMPCR8kms:RecipientAttestation:NitroTPMPCR9kms:RecipientAttestation:PCR0kms:RecipientAttestation:PCR1kms:RecipientAttestation:PCR10kms:RecipientAttestation:PCR11kms:RecipientAttestation:PCR12kms:RecipientAttestation:PCR13kms:RecipientAttestation:PCR14kms:RecipientAttestation:PCR15kms:RecipientAttestation:PCR16kms:RecipientAttestation:PCR17kms:RecipientAttestation:PCR18kms:RecipientAttestation:PCR19kms:RecipientAttestation:PCR2kms:RecipientAttestation:PCR20kms:RecipientAttestation:PCR21kms:RecipientAttestation:PCR22kms:RecipientAttestation:PCR23kms:RecipientAttestation:PCR24kms:RecipientAttestation:PCR25kms:RecipientAttestation:PCR26kms:RecipientAttestation:PCR27kms:RecipientAttestation:PCR28kms:RecipientAttestation:PCR29kms:RecipientAttestation:PCR3kms:RecipientAttestation:PCR30kms:RecipientAttestation:PCR31kms:RecipientAttestation:PCR4kms:RecipientAttestation:PCR5kms:RecipientAttestation:PCR6kms:RecipientAttestation:PCR7kms:RecipientAttestation:PCR8kms:RecipientAttestation:PCR9kms:ReplicaRegionkms:RequestAliaskms:ResourceAliaseskms:RetiringPrincipalkms:RotationPeriodInDayskms:ScheduleKeyDeletionPendingWindowInDayskms:SigningAlgorithmkms:ValidTokms:ViaServicekms:WrappingAlgorithmkms:WrappingKeySpec

Learn AWS the Practical Way

Our bi-weekly newsletter teaches hands-on AWS fundamentals. No certification fluff - just practical knowledge.

Subscribe to Newsletter

Learn AWS the Practical Way

Our bi-weekly newsletter teaches hands-on AWS fundamentals. No certification fluff - just practical knowledge.

Subscribe to Newsletter

Quick Facts

Total Actions55

Prefixkms

Resource Types1

Condition Keys94

Access Level Breakdown

Read

Write

List

Permissions

Tagging

AWS AWS Key Management Service IAM Actions

Actions

Resource Types

Condition Keys

Learn AWS the Practical Way

Learn AWS the Practical Way

Quick Facts

Access Level Breakdown

Explore This Service