# Using IAM policies with AWS KMS
IAM policies

You can use IAM policies, along with [key policies](key-policies.md), [grants](grants.md), and [VPC endpoint policies](https://docs.aws.amazon.com/vpc/latest/privatelink/interface-endpoints.html#edit-vpc-endpoint-policy), to control access to your AWS KMS keys in AWS KMS. 

**Note**  
To use an IAM policy to control access to a KMS key, the key policy for the KMS key must give the account permission to use IAM policies. Specifically, the key policy must include the [policy statement that enables IAM policies](key-policy-default.md#key-policy-default-allow-root-enable-iam).  
This section explains how to use IAM policies to control access to AWS KMS operations. For more general information about IAM, see the [IAM User Guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/).

All KMS keys must have a key policy. IAM policies are optional. To use an IAM policy to control access to a KMS key, the key policy for the KMS key must give the account permission to use IAM policies. Specifically, the key policy must include the [policy statement that enables IAM policies](key-policy-default.md#key-policy-default-allow-root-enable-iam).

IAM policies can control access to any AWS KMS operation. Unlike key policies, IAM policies can control access to multiple KMS keys and provide permissions for the operations of several related AWS services. But IAM policies are particularly useful for controlling access to operations, such as [CreateKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateKey.html), that can't be controlled by a key policy because they don't involve any particular KMS key.

If you access AWS KMS through an Amazon Virtual Private Cloud (Amazon VPC) endpoint, you can also use a VPC endpoint policy to limit access to your AWS KMS resources when using the endpoint. For example, when using the VPC endpoint, you might only allow the principals in your AWS account to access your customer managed keys. For details, see [VPC endpoint policies](https://docs.aws.amazon.com/vpc/latest/privatelink/interface-endpoints.html#edit-vpc-endpoint-policy).

For help writing and formatting a JSON policy document, see the [IAM JSON Policy Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) in the *IAM User Guide*.

You can use IAM policies in the following ways:
+ **Attach a permissions policy to a role for federation or cross-account permissions** – You can attach an IAM policy to an IAM role to enable identity federation, allow cross-account permissions, or give permissions to applications running on EC2 instances. For more information about the various use cases for IAM roles, see [IAM Roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) in the *IAM User Guide*.
+ **Attach a permissions policy to a user or a group** – You can attach a policy that allows a user or group of users to call AWS KMS operations. However, IAM best practices recommend that you use identities with temporary credentials, such as IAM roles, whenever possible.

The following example shows an IAM policy with AWS KMS permissions. This policy allows the IAM identities to which it is attached to list all KMS keys and aliases.

------
#### [ JSON ]

****  

```
{
  "Version":"2012-10-17",		 	 	 
  "Statement": {
    "Effect": "Allow",
    "Action": [
      "kms:ListKeys",
      "kms:ListAliases"
    ],
    "Resource": "*"
  }
}
```

------

Like all IAM policies, this policy doesn't have a `Principal` element. When you attach an IAM policy to an IAM identity, that identity gets the permissions specified in the policy.

For a table showing all of the AWS KMS API actions and the resources that they apply to, see the [Permissions reference](kms-api-permissions-reference.md).

## Allowing multiple IAM principals to access a KMS key


IAM groups are not valid principals in a key policy. To allow multiple users and roles to access a KMS key, do one of the following:
+ Use an IAM role as the principal in the key policy. Multiple authorized users can assume the role as needed. For details, see [IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) in the *IAM User Guide*.

  While you can list multiple IAM users in a key policy, this practice is not recommended because it requires that you update the key policy every time the list of authorized users changes. Also, IAM best practices discourage the use of IAM users with long-term credentials. For details, see [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the *IAM User Guide*.
+ Use an IAM policy to give permission to an IAM group. To do this, ensure that the key policy includes the statement that [enables IAM policies to allow access to the KMS key](key-policy-default.md#key-policy-default-allow-root-enable-iam), [create an IAM policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-using.html#create-managed-policy-console) that allows access to the KMS key, and then [attach that policy to an IAM group](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-using.html#attach-managed-policy-console) that contains the authorized IAM users. Using this approach, you don't need to change any policies when the list of authorized users changes. Instead, you only need to add or remove those users from the appropriate IAM group. For details, see [IAM user groups](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html) in the *IAM User Guide*

For more information about how AWS KMS key policies and IAM policies work together, see [Troubleshooting AWS KMS permissions](policy-evaluation.md).

# Best practices for IAM policies


Securing access to AWS KMS keys is critical to the security of all of your AWS resources. KMS keys are used to protect many of the most sensitive resources in your AWS account. Take the time to design the [key policies](key-policies.md), IAM policies, [grants](grants.md), and VPC endpoint policies that control access to your KMS keys.

In IAM policy statements that control access to KMS keys, use the [least privileged principle](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege). Give IAM principals only the permissions they need on only the KMS keys they must use or manage. 

The following best practices apply to IAM policies that control access to AWS KMS keys and aliases. For general IAM policy best practice guidance, see [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the *IAM User Guide*.

**Use key policies**  
Whenever possible, provide permissions in key policies that affect one KMS key, rather than in an IAM policy that can apply to many KMS keys, including those in other AWS accounts. This is particularly important for sensitive permissions like [kms:PutKeyPolicy](https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html) and [kms:ScheduleKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html) but also for cryptographic operations that determine how your data is protected.

**Limit CreateKey permission**  
Give permission to create keys ([kms:CreateKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateKey.html)) only to principals who need it. Principals who create a KMS key also set its key policy, so they can give themselves and others permission to use and manage the KMS keys they create. When you allow this permission, consider limiting it by using [policy conditions](policy-conditions.md). For example, you can use the [kms:KeySpec](conditions-kms.md#conditions-kms-key-spec) condition to limit the permission to symmetric encryption KMS keys.

**Specify KMS keys in an IAM policy**  
As a best practice, specify the [key ARN](concepts.md#key-id-key-ARN) of each KMS key to which the permission applies in the `Resource` element of the policy statement. This practice restricts the permission to the KMS keys that principal requires. For example, this `Resource` element lists only the KMS keys the principal needs to use.  

```
"Resource": [
    "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
    "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321"
]
```
When specifying KMS keys is impractical, use a `Resource` value that limits access to KMS keys in a trusted AWS account and Region, such as `arn:aws:kms:region:account:key/*`. Or limit access to KMS keys in all Regions (\$1) of a trusted AWS account, such as `arn:aws:kms:*:account:key/*`.  
You cannot use a [key ID](concepts.md#key-id-key-id), [alias name](concepts.md#key-id-alias-name), or [alias ARN](concepts.md#key-id-alias-ARN) to represent a KMS key in the `Resource` field of an IAM policy. If you specify an alias ARN, the policy applies to the alias, not to the KMS key. For information about IAM policies for aliases, see [Controlling access to aliases](alias-access.md)

**Avoid "Resource": "\$1" in an IAM policy**  <a name="avoid-resource-star"></a>
Use wildcard characters (\$1) judiciously. In a key policy, the wildcard character in the `Resource` element represents the KMS key to which the key policy is attached. But in an IAM policy, a wildcard character alone in the `Resource` element (`"Resource": "*"`) applies the permissions to all KMS keys in all AWS accounts that the principal's account has permission to use. This might include [KMS keys in other AWS accounts](key-policy-modifying-external-accounts.md), as well as KMS keys in the principal's account.  
For example, to use a KMS key in another AWS account, a principal needs permission from the key policy of the KMS key in the external account, and from an IAM policy in their own account. Suppose that an arbitrary account gave your AWS account [kms:Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html) permission on their KMS keys. If so, an IAM policy in your account that gives a role `kms:Decrypt` permission on all KMS keys (`"Resource": "*"`) would satisfy the IAM part of the requirement. As a result, principals who can assume that role can now decrypt ciphertexts using the KMS key in the untrusted account. Entries for their operations appear in the CloudTrail logs of both accounts.  
In particular, avoid using `"Resource": "*"` in a policy statement that allows the following API operations. These operations can be called on KMS keys in other AWS accounts.  
+ [DescribeKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html)
+ [GetKeyRotationStatus](https://docs.aws.amazon.com/kms/latest/APIReference/API_GetKeyRotationStatus.html)
+ [Cryptographic operations](kms-cryptography.md#cryptographic-operations) ([Encrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Encrypt.html), [Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html), [GenerateDataKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html), [GenerateDataKeyPair](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyPair.html), [GenerateDataKeyWithoutPlaintext](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyWithoutPlaintext.html), [GenerateDataKeyPairWithoutPlaintext](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyPairWithoutPlaintext.html), [GetPublicKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html), [ReEncrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_ReEncrypt.html), [Sign](https://docs.aws.amazon.com/kms/latest/APIReference/API_Sign.html), [Verify](https://docs.aws.amazon.com/kms/latest/APIReference/API_Verify.html))
+ [CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html), [ListGrants](https://docs.aws.amazon.com/kms/latest/APIReference/API_ListGrants.html), [ListRetirableGrants](https://docs.aws.amazon.com/kms/latest/APIReference/API_ListRetirableGrants.html), [RetireGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_RetireGrant.html), [RevokeGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_RevokeGrant.html)

**When to use "Resource": "\$1"**  <a name="require-resource-star"></a>
In an IAM policy, use a wildcard character in the `Resource` element only for permissions that require it. Only the following permissions require the `"Resource": "*"` element.  
+ [kms:CreateKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateKey.html)
+ [kms:GenerateRandom](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateRandom.html)
+ [kms:ListAliases](https://docs.aws.amazon.com/kms/latest/APIReference/API_ListAliases.html)
+ [kms:ListKeys](https://docs.aws.amazon.com/kms/latest/APIReference/API_ListKeys.html)
+ Permissions for custom key stores, such as [kms:CreateCustomKeyStore](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateCustomKeyStore.html) and [kms:ConnectCustomKeyStore](https://docs.aws.amazon.com/kms/latest/APIReference/API_ConnectCustomKeyStore.html).
Permissions for alias operations ([kms:CreateAlias](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateAlias.html), [kms:UpdateAlias](https://docs.aws.amazon.com/kms/latest/APIReference/API_UpdateAlias.html), [kms:DeleteAlias](https://docs.aws.amazon.com/kms/latest/APIReference/API_DeleteAlias.html)) must be attached to the alias and the KMS key. You can use `"Resource": "*"` in an IAM policy to represent the aliases and the KMS keys, or specify the aliases and KMS keys in the `Resource` element. For examples, see [Controlling access to aliases](alias-access.md).

 

The examples in this topic provide more information and guidance for designing IAM policies for KMS keys. For IAM best practices for all AWS resources, see [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the *IAM User Guide*.

# Specifying KMS keys in IAM policy statements


You can use an IAM policy to allow a principal to use or manage KMS keys. KMS keys are specified in the `Resource` element of the policy statement. 
+ To specify a KMS key in an IAM policy statement, you must use its [key ARN](concepts.md#key-id-key-ARN). You cannot use a [key id](concepts.md#key-id-key-id), [alias name](concepts.md#key-id-alias-name), or [alias ARN](concepts.md#key-id-alias-ARN) to identify a KMS key in an IAM policy statement. 

  For example: "`Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`"

  To control access to a KMS key based on its aliases, use the [kms:RequestAlias](conditions-kms.md#conditions-kms-request-alias) or [kms:ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases) condition keys. For details, see [ABAC for AWS KMS](abac.md).

  Use an alias ARN as the resource only in a policy statement that controls access to alias operations, such as [CreateAlias](https://docs.aws.amazon.com/kms/latest/APIReference/CreateAlias.html), [UpdateAlias](https://docs.aws.amazon.com/kms/latest/APIReference/UpdateAlias.html), or [DeleteAlias](https://docs.aws.amazon.com/kms/latest/APIReference/DeleteAlias.html). For details, see [Controlling access to aliases](alias-access.md).
+ To specify multiple KMS keys in the account and Region, use wildcard characters (\$1) in the Region or resource ID positions of the key ARN. 

  For example, to specify all KMS keys in the US West (Oregon) Region of an account, use "`Resource": "arn:aws:kms:us-west-2:111122223333:key/*`". To specify all KMS keys in all Regions of the account, use "`Resource": "arn:aws:kms:*:111122223333:key/*`".
+ To represent all KMS keys, use a wildcard character alone (`"*"`). Use this format for operations that don't use any particular KMS key, namely [CreateKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateKey.html), [GenerateRandom](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateRandom.html), [ListAliases](https://docs.aws.amazon.com/kms/latest/APIReference/API_ListAliases.html), and [ListKeys](https://docs.aws.amazon.com/kms/latest/APIReference/API_ListKeys.html).

When writing your policy statements, it's a [best practice](iam-policies-best-practices.md) to specify only the KMS keys that the principal needs to use, rather than giving them access to all KMS keys. 

For example, the following IAM policy statement allows the principal to call the [DescribeKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html), [GenerateDataKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html), [Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html) operations only on the KMS keys listed in the `Resource` element of the policy statement. Specifying KMS keys by key ARN, which is a best practice, ensures that the permissions are limited only to the specified KMS keys.

------
#### [ JSON ]

****  

```
{
  "Version":"2012-10-17",		 	 	 
  "Statement": {
    "Effect": "Allow",
    "Action": [
      "kms:DescribeKey",
      "kms:GenerateDataKey",
      "kms:Decrypt"
    ],
    "Resource": [
     "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
     "arn:aws:kms:us-west-2:111122223333:key/01234abcd-12ab-34cd-56ef-1234567890ab"
    ]
  }
}
```

------

To apply the permission to all KMS keys in a particular trusted AWS account, you can use wildcard characters (\$1) in the Region and key ID positions. For example, the following policy statement allows the principal to call the specified operations on all KMS keys in two trusted example accounts.

------
#### [ JSON ]

****  

```
{
  "Version":"2012-10-17",		 	 	 
  "Statement": {
    "Effect": "Allow",
    "Action": [
      "kms:DescribeKey",
      "kms:GenerateDataKey",
      "kms:GenerateDataKeyPair"
    ],
    "Resource": [
      "arn:aws:kms:*:111122223333:key/*",
      "arn:aws:kms:*:444455556666:key/*"
    ]
  }
}
```

------

You can also use a wildcard character (`"*"`) alone in the `Resource` element. Because it allows access to all KMS keys the account has permission to use, it's recommended primarily for operations without a particular KMS key and for `Deny` statements. You can also use it in policy statements that allow only less sensitive read-only operations. To determine whether an AWS KMS operation involves a particular KMS key, look for the **KMS key** value in the **Resources** column of the table in [AWS KMS permissions](kms-api-permissions-reference.md).

For example, the following policy statement uses a `Deny` effect to prohibit the principals from using the specified operations on any KMS key. It uses a wildcard character in the `Resource` element to represent all KMS keys.

------
#### [ JSON ]

****  

```
{
  "Version":"2012-10-17",		 	 	 
  "Statement": {
    "Effect": "Deny",
    "Action": [
      "kms:CreateKey",
      "kms:PutKeyPolicy",
      "kms:CreateGrant",
      "kms:ScheduleKeyDeletion"
    ],
    "Resource": "*"
  }
}
```

------

The following policy statement uses a wildcard character alone to represent all KMS keys. But it allows only less sensitive read-only operations and operations that don't apply to any particular KMS key.

------
#### [ JSON ]

****  

```
{
  "Version":"2012-10-17",		 	 	 
  "Statement": {
    "Effect": "Allow",
    "Action": [
      "kms:CreateKey",
      "kms:ListKeys",
      "kms:ListAliases",
      "kms:ListResourceTags"
    ],
    "Resource": "*"
  }
}
```

------

# IAM policy examples
Examples

In this section, you can find example IAM policies that allow permissions for various AWS KMS actions.

**Important**  
Some of the permissions in the following policies are allowed only when the KMS key's key policy also allows them. For more information, see [Permissions reference](kms-api-permissions-reference.md).

For help writing and formatting a JSON policy document, see the [IAM JSON Policy Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) in the *IAM User Guide*.

**Topics**
+ [

## Allow a user to view KMS keys in the AWS KMS console
](#iam-policy-example-read-only-console)
+ [

## Allow a user to create KMS keys
](#iam-policy-example-create-key)
+ [

## Allow a user to encrypt and decrypt with any KMS key in a specific AWS account
](#iam-policy-example-encrypt-decrypt-one-account)
+ [

## Allow a user to encrypt and decrypt with any KMS key in a specific AWS account and Region
](#iam-policy-example-encrypt-decrypt-one-account-one-region)
+ [

## Allow a user to encrypt and decrypt with specific KMS keys
](#iam-policy-example-encrypt-decrypt-specific-cmks)
+ [

## Prevent a user from disabling or deleting any KMS keys
](#iam-policy-example-deny-disable-delete)

## Allow a user to view KMS keys in the AWS KMS console


The following IAM policy allows users read-only access to the AWS KMS console. Users with these permissions can view all KMS keys in their AWS account, but they cannot create or change any KMS keys. 

To view KMS keys on the **AWS managed keys** and **Customer managed keys** pages, principals require [kms:ListKeys](https://docs.aws.amazon.com/kms/latest/APIReference/API_ListKeys.html), [kms:ListAliases](https://docs.aws.amazon.com/kms/latest/APIReference/API_ListAliases.html), and [tag:GetResources](https://docs.aws.amazon.com/resourcegroupstagging/latest/APIReference/API_GetResources.html) permissions, even if the keys do not have tags or aliases. The remaining permissions, particularly [kms:DescribeKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html), are required to view optional KMS key table columns and data on the KMS key detail pages. The [iam:ListUsers](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListUsers.html) and [iam:ListRoles](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListRoles.html) permissions are required to display the key policy in default view without error. To view data on the **Custom key stores** page and details about KMS keys in custom key stores, principals also need [kms:DescribeCustomKeyStores](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeCustomKeyStores.html) permission.

If you limit a user's console access to particular KMS keys, the console displays an error for each KMS key that is not visible. 

This policy includes of two policy statements. The `Resource` element in the first policy statement allows the specified permissions on all KMS keys in all Regions of the example AWS account. Console viewers don't need additional access because the AWS KMS console displays only KMS keys in the principal's account. This is true even if they have permission to view KMS keys in other AWS accounts. The remaining AWS KMS and IAM permissions require a `"Resource": "*"` element because they don't apply to any particular KMS key.

------
#### [ JSON ]

****  

```
{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Sid": "ReadOnlyAccessForAllKMSKeysInAccount",
      "Effect": "Allow",
      "Action": [
        "kms:GetPublicKey",        
        "kms:GetKeyRotationStatus",
        "kms:GetKeyPolicy",
        "kms:DescribeKey",
        "kms:ListKeyPolicies",
        "kms:ListResourceTags",
        "tag:GetResources"
      ],
      "Resource": "arn:aws:kms:*:111122223333:key/*"
    },
    {
      "Sid": "ReadOnlyAccessForOperationsWithNoKMSKey",
      "Effect": "Allow",
      "Action": [
        "kms:ListKeys",
        "kms:ListAliases",
        "iam:ListRoles",
        "iam:ListUsers"
      ],
      "Resource": "*"
    }
  ]
}
```

------

## Allow a user to create KMS keys


The following IAM policy allows a user to create all types of KMS keys. The value of the `Resource` element is `*` because the `CreateKey` operation does not use any particular AWS KMS resources (KMS keys or aliases).

To restrict the user to particular types of KMS keys, use the [kms:KeySpec](conditions-kms.md#conditions-kms-key-spec), [kms:KeyUsage](conditions-kms.md#conditions-kms-key-usage), and [kms:KeyOrigin](conditions-kms.md#conditions-kms-key-origin) condition keys.

------
#### [ JSON ]

****  

```
{
  "Version":"2012-10-17",		 	 	 
  "Statement": {
    "Effect": "Allow",
    "Action": "kms:CreateKey",
    "Resource": "*"
  }
}
```

------

Principals who create keys might need some related permissions.
+ **kms:PutKeyPolicy** — Principals who have `kms:CreateKey` permission can set the initial key policy for the KMS key. However, the `CreateKey` caller must have [kms:PutKeyPolicy](https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html) permission, which lets them change the KMS key policy, or they must specify the `BypassPolicyLockoutSafetyCheck` parameter of `CreateKey`, which is not recommended. The `CreateKey` caller can get `kms:PutKeyPolicy` permission for the KMS key from an IAM policy or they can include this permission in the key policy of the KMS key that they're creating.
+ **kms:TagResource** — To add tags to the KMS key during the `CreateKey` operation, the `CreateKey` caller must have [kms:TagResource](https://docs.aws.amazon.com/kms/latest/APIReference/API_TagResource.html) permission in an IAM policy. Including this permission in the key policy of the new KMS key isn't sufficient. However, if the `CreateKey` caller includes `kms:TagResource` in the initial key policy, they can add tags in a separate call after the KMS key is created.
+ **kms:CreateAlias** — Principals who create a KMS key in the AWS KMS console must have [kms:CreateAlias](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateAlias.html) permission on the KMS key and on the alias. (The console makes two calls; one to `CreateKey` and one to `CreateAlias`). You must provide the alias permission in an IAM policy. You can provide the KMS key permission in a key policy or IAM policy. For details, see [Controlling access to aliases](alias-access.md).

In addition to `kms:CreateKey`, the following IAM policy provides `kms:TagResource` permission on all KMS keys in the AWS account and `kms:CreateAlias` permission on all aliases that the account. It also includes some useful read-only permissions that can be provided only in an IAM policy. 

This IAM policy does not include `kms:PutKeyPolicy` permission or any other permissions that can be set in a key policy. It's a [best practice](iam-policies-best-practices.md) to set these permissions in the key policy where they apply exclusively to one KMS key.

------
#### [ JSON ]

****  

```
{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Sid": "IAMPermissionsForParticularKMSKeys",
      "Effect": "Allow",
      "Action": "kms:TagResource",
      "Resource": "arn:aws:kms:*:111122223333:key/*"
    },
    {
      "Sid": "IAMPermissionsForParticularAliases",
      "Effect": "Allow",
      "Action": "kms:CreateAlias",
      "Resource": "arn:aws:kms:*:111122223333:alias/*"
    },
    {
      "Sid": "IAMPermissionsForAllKMSKeys",
      "Effect": "Allow",
      "Action": [
        "kms:CreateKey",
        "kms:ListKeys",
        "kms:ListAliases"
      ],
      "Resource": "*"
    }
  ]
}
```

------

## Allow a user to encrypt and decrypt with any KMS key in a specific AWS account


The following IAM policy allows a user to encrypt and decrypt data with any KMS key in AWS account 111122223333.

------
#### [ JSON ]

****  

```
{
  "Version":"2012-10-17",		 	 	 
  "Statement": {
    "Effect": "Allow",
    "Action": [
      "kms:Encrypt",
      "kms:Decrypt"
    ],
    "Resource": "arn:aws:kms:*:111122223333:key/*"
  }
}
```

------

## Allow a user to encrypt and decrypt with any KMS key in a specific AWS account and Region


The following IAM policy allows a user to encrypt and decrypt data with any KMS key in AWS account `111122223333` in the US West (Oregon) Region.

------
#### [ JSON ]

****  

```
{
  "Version":"2012-10-17",		 	 	 
  "Statement": {
    "Effect": "Allow",
    "Action": [
      "kms:Encrypt",
      "kms:Decrypt"
    ],
    "Resource": [
      "arn:aws:kms:us-west-2:111122223333:key/*"
    ]
  }
}
```

------

## Allow a user to encrypt and decrypt with specific KMS keys


The following IAM policy allows a user to encrypt and decrypt data with the two KMS keys specified in the `Resource` element. When specifying a KMS key in an IAM policy statement, you must use the [key ARN](concepts.md#key-id-key-ARN) of the KMS key.

------
#### [ JSON ]

****  

```
{
  "Version":"2012-10-17",		 	 	 
  "Statement": {
    "Effect": "Allow",
    "Action": [
      "kms:Encrypt",
      "kms:Decrypt"
    ],
    "Resource": [
      "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
      "arn:aws:kms:us-west-2:111122223333:key/01234abc-d12a-b34c-d56e-f1234567890a'"
    ]
  }
}
```

------

## Prevent a user from disabling or deleting any KMS keys


The following IAM policy prevents a user from disabling or deleting any KMS keys, even when another IAM policy or a key policy allows these permissions. A policy that explicitly denies permissions overrides all other policies, even those that explicitly allow the same permissions. For more information, see [Troubleshooting AWS KMS permissions](policy-evaluation.md).

------
#### [ JSON ]

****  

```
{
  "Version":"2012-10-17",		 	 	 
  "Statement": {
    "Effect": "Deny",
    "Action": [
      "kms:DisableKey",
      "kms:ScheduleKeyDeletion"
    ],
    "Resource": "*"
  }
}
```

------