Permissions for AWS services in key policies

Many AWS services use AWS KMS keys to protect the resources they manage. When a service uses AWS owned keys or AWS managed keys, the service establishes and maintains the key policies for these KMS keys.

However, when you use a customer managed key with an AWS service, you set and maintain the key policy. That key policy must allow the service the minimum permissions that it requires to protect the resource on your behalf. We recommend that you follow the principle of least privilege: give the service only the permissions that it requires. You can do this effectively by learning which permissions the service needs and using AWS global condition keys and AWS KMS condition keys to refine the permissions.

To find the permissions that the service requires on a customer managed key, see the encryption documentation for the service. The following list includes links to some services documentation:

AWS CloudTrail permissions - Configure AWS KMS key policies for CloudTrail
Amazon Elastic Block Store permissions - Amazon EC2 User Guide and Amazon EC2 User Guide
AWS Lambda permissions - Data encryption at rest for Lambda
Amazon Q permissions - Data encryption for Amazon Q
Amazon Relational Database Service permissions - AWS KMS key management
AWS Secrets Manager permissions - Authorizing use of the KMS key
Amazon Simple Queue Service permissions - Amazon SQS Key management

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Change a key policy

IAM policies