# Encryption at rest
IAM Identity Center provides encryption to protect customer data at rest using the following key types:
+ **AWS owned keys (default key type)** — IAM Identity Center uses these keys by default to automatically encrypt your data. You can't view, manage, audit their use, or use AWS owned keys for other purposes. IAM Identity Center handles the key management entirely to keep your data secure, without your having to take any action. For more information, see [AWS owned keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk) in the [https://docs.aws.amazon.com/kms/latest/developerguide/overview.html](https://docs.aws.amazon.com/kms/latest/developerguide/overview.html).
+ **Customer managed keys** — In organization instances of IAM Identity Center, you can choose a symmetric customer managed key for encryption at rest of your workforce identity data such as user and group attributes. You create, own, and manage these encryption keys. Because you have full control of this layer of encryption, you can perform such tasks as:
+ Establishing and maintaining key policies to restrict access to the key to only IAM principals who need access, such as IAM Identity Center and [AWS managed applications](awsapps.md) in the same AWS Organizations and their administrators.
+ Establishing and maintaining IAM policies for access to the key including cross-account access
+ Enabling and disabling key policies
+ Rotating key cryptographic material
+ Auditing access to your data that requires key access
+ Adding tags
+ Creating key aliases
+ Scheduling keys for deletion
To learn how to implement a customer managed KMS key in IAM Identity Center see [Implementing customer managed KMS keys in AWS IAM Identity Center](identity-center-customer-managed-keys.md). For more information about customer managed keys, see [customer managed key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) in the *AWS Key Management Service Developer Guide*.
**Note**
IAM Identity Center automatically enables encryption at rest using AWS owned KMS keys to protect customer data at no charge. However, AWS KMS charges apply when using a customer managed key. For more information about pricing, see the [AWS Key Management Service pricing](https://aws.amazon.com/kms/pricing/).
**Considerations for implementing customer managed keys:**
+ **Dedicated keys**: We recommend creating a new dedicated customer managed KMS key for each IAM Identity Center instance rather than reusing an existing key. This approach provides clearer separation of duties, simplifies access control management, and makes security auditing more straightforward. Having a dedicated key also reduces risk by limiting the impact of key changes to a single IAM Identity Center instance.
+ **Use of IAM Identity Center across multiple AWS Regions**: If you plan to replicate your IAM Identity Center instance to additional AWS Regions, you will need to use a customer managed KMS key for encryption at rest. The default AWS owned KMS key type is not supported in a multi-regional IAM Identity Center. For more information, see [Using IAM Identity Center across multiple AWS Regions](multi-region-iam-identity-center.md).
**Note**
IAM Identity Center uses [envelope encryption](https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#envelope-encryption) in the encryption of your workforce identity data. Your KMS key plays the role of a wrapping key that encrypts the data key that is actually used to encrypt the data.
For more information on AWS KMS, see [What is AWS Key Management Service?](https://docs.aws.amazon.com/kms/latest/developerguide/overview.html)
## IAM Identity Center encryption context
An [encryption context](https://docs.aws.amazon.com/kms/latest/developerguide/encrypt_context.html) is an optional set of non-secret key-value pairs that contain additional contextual information about the data. AWS KMS uses the encryption context as additional authenticated data to support authenticated encryption. When you include an encryption context in a request to encrypt data, AWS KMS binds the encryption context to the encrypted data. To decrypt data, you include the same encryption context in the request. Refer to the [AWS KMS Developer Guide](https://docs.aws.amazon.com/kms/latest/developerguide/encrypt_context.html) for more information about encryption context.
IAM Identity Center uses encryption context keys from the following: aws:sso:instance-arn, aws:identitystore:identitystore-arn, and tenant-key-id. For example, the following encryption context can appear in AWS KMS API operations invoked by [IAM Identity Center API](https://docs.aws.amazon.com/singlesignon/latest/APIReference/welcome.html).
```
"encryptionContext": {
"tenant-key-id": "ssoins-1234567890abcdef",
"aws:sso:instance-arn": "arn:aws:sso:::instance/ssoins-1234567890abcdef"
}
```
The following encryption context can appear in AWS KMS API operations invoked by [Identity Store API](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/welcome.html).
```
"encryptionContext": {
"tenant-key-id": "12345678-1234-1234-1234-123456789012",
"aws:identitystore:identitystore-arn": "arn:aws:identitystore::123456789012:identitystore/d-1234567890"
}
```
## Using encryption context to control access to your customer managed key
You can use the encryption context in key policies and IAM policies as conditions to control access to your symmetric customer managed key. Some of the key policy templates in the [Advanced KMS key policy statements](advanced-kms-policy.md) include such conditions to ensure the key is used only with a specific IAM Identity Center instance.
## Monitoring your encryption keys for IAM Identity Center
When you use a customer managed KMS key with your IAM Identity Center instance, you can use [AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html) or [Amazon CloudWatch Logs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html) to track requests that IAM Identity Center sends to AWS KMS. The KMS API operations that IAM Identity Center calls are listed in [Step 2: Prepare KMS key policy statements](identity-center-customer-managed-keys.md#choose-kms-key-policy-statements). CloudTrail events for these API operations contain the encryption context, which enables you to monitor AWS KMS API operations called by your IAM Identity Center instance to access data encrypted by your customer managed key.
Example encryption context in a CloudTrail event of an AWS KMS API operation:
```
{
"requestParameters": {
"encryptionAlgorithm": "SYMMETRIC_DEFAULT",
"encryptionContext": {
"aws:sso:instance-arn": "arn:aws:sso:::instance/ssoins-xxxxxxxxxxxxxxxx",
"tenant-key-id": "ssoins-xxxxxxxxxxxxxxxx"
}
}
}
```
## AWS managed applications’ storage, encryption, and deletion of IAM Identity Center identity attributes
Some AWS managed applications that you deploy with AWS IAM Identity Center, such as AWS Systems Manager and Amazon CodeCatalyst, store specific user and group attributes from IAM Identity Center in their own data store. Encryption at rest with a customer managed KMS key in IAM Identity Center does not extend to the IAM Identity Center user and group attributes stored in AWS managed applications. AWS managed applications support different encryption methods for the data they store. Finally, when you delete user and group attributes within IAM Identity Center, these AWS managed applications may continue to store this information past its deletion in IAM Identity Center. Refer to the user guide of your AWS managed applications for encryption and security of data stored within the applications.
# Implementing customer managed KMS keys in AWS IAM Identity Center
Customer managed keys are AWS Key Management Service keys that you create, own, and manage. To implement a customer managed KMS key for encryption at rest in AWS IAM Identity Center, follow these steps:
**Important**
Some AWS managed applications cannot be used with AWS IAM Identity Center configured with a customer managed KMS key. See [AWS managed applications that you can use with IAM Identity Center](awsapps-that-work-with-identity-center.md).
1. [Step 1: Identify use cases for your organization](#identify-use-cases) - To define correct permissions for use of the KMS key you need to identify the relevant use cases across your organization. The KMS key permissions consist of KMS key policy statements and identity-based policies that work together to allow appropriate IAM principals to use the KMS key for their specific use cases.
1. [Step 2: Prepare KMS key policy statements](#choose-kms-key-policy-statements) - Choose pertinent KMS key policy statement templates based on the use cases identified in Step 1, and fill in required identifiers and IAM principal names. Start with the baseline KMS key policy statements, and if your security policies require it, refine them as described in Advanced KMS key policy statements.
1. [Step 3: Create a customer managed KMS key](#create-customer-managed-kms-key) - Create a KMS key in AWS KMS that meets the IAM Identity Center requirements, and add the KMS key policy statements prepared in Step 2 to the KMS key policy.
1. [Step 4: Configure IAM policies for cross-account use of the KMS key](#configure-iam-policies-kms-key) - Choose pertinent IAM policy statement templates based on the use cases identified in Step 1, and prepare them for use by filling in the key ARN. Then, allow the IAM principals for each specific use case to use the KMS key across accounts by adding the prepared IAM policy statements to the principals' IAM policies.
1. [Step 5: Configure the KMS key in IAM Identity Center](#configure-kms-key-in-iam-identity-center) - Enable the customer managed KMS key in your IAM Identity Center instance to use it for encryption at rest.
## Step 1: Identify use cases for your organization
Before creating and configuring your customer managed KMS key, identify your use cases and prepare the required KMS key permissions. Refer to [AWS KMS Developer Guide](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html) for more information on the KMS key policy.
IAM principals that call the IAM Identity Center service APIs require permissions. For example, a delegated administrator can be authorized to use these APIs through a permission set policy. When IAM Identity Center is configured with a customer managed key, IAM principals must also have permissions to use the KMS API through the IAM Identity Center service APIs. You define these KMS API permissions in two places: the KMS key policy and in the IAM policies associated with the IAM principals.
The KMS key permissions consist of:
1. KMS key policy statements that you specify on the KMS key during its creation in [Step 3: Create a customer managed KMS key](#create-customer-managed-kms-key).
1. IAM policy statements for IAM principals that you specify in [Step 4: Configure IAM policies for cross-account use of the KMS key](#configure-iam-policies-kms-key) after you create the KMS key.
The following table specifies the relevant use cases and IAM principals that need permissions to use your KMS key.
| Use case | IAM principals that need permissions to use the KMS key | Required/Optional |
| --- | --- | --- |
| Use of AWS IAM Identity Center | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/identity-center-customer-managed-keys.html) | Required |
| Use of AWS managed applications with IAM Identity Center | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/identity-center-customer-managed-keys.html) | Optional |
| Use of AWS Control Tower on the AWS IAM Identity Center instance it enabled | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/identity-center-customer-managed-keys.html) | Optional |
| SSO to Amazon EC2 instances with AWS IAM Identity Center | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/identity-center-customer-managed-keys.html) | Optional |
| Any other use case that makes calls to IAM Identity Center service APIs with IAM principals, such as customer managed applications, permission set provisioning workflows, or AWS Lambda functions | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/identity-center-customer-managed-keys.html) | Optional |
**Note**
Multiple IAM principals listed in the table require AWS KMS API permissions. However, to protect your user and group data in IAM Identity Center, only IAM Identity Center and Identity Store services directly call the AWS KMS API.
## Step 2: Prepare KMS key policy statements
After identifying the use cases relevant to your organization, you can prepare the corresponding KMS key policy statements.
1. Choose the KMS key policy statements that match the use cases for your organization. Begin with the baseline policy templates. If you need more specific policies based on your security requirements, you can modify the policy statements using the examples in [Advanced KMS key policy statements](advanced-kms-policy.md). For guidance on this decision, see [Considerations for choosing baseline vs. advanced KMS key policy statements](considerations-for-customer-managed-kms-keys-advanced.md#kms-policy-considerations-advanced-vs-baseline). In addition, each baseline section in [Baseline KMS key and IAM policy statements](baseline-KMS-key-policy.md) includes relevant considerations.
1. Copy the relevant policies to an editor and insert the required identifiers and IAM principal names in the KMS key policy statements. For help finding the values of the referenced identifiers, see [Where to find the required identifiers](#find-the-required-identifiers).
Following are baseline policy templates for each use case. Only the first set of permissions for AWS IAM Identity Center is required to use a KMS key. We recommend that you review the applicable subsections for additional use case-specific information.
+ [Baseline KMS key policy statements for use of IAM Identity Center (required)](baseline-KMS-key-policy.md#baseline-kms-key-policy-statements-for-use-of-iam-identity-center-mandatory)
+ [Baseline KMS key and IAM policy statements for use of AWS managed applications](baseline-KMS-key-policy.md#baseline-kms-key-policy-statements-for-use-of-aws-managed-applications)
+ [Baseline KMS key statement for use of AWS Control Tower](baseline-KMS-key-policy.md#baseline-kms-key-policy-statements-for-specific-use-cases)
+ [Baseline KMS key and IAM policy statements for use of IAM Identity Center to Amazon EC2 instances](baseline-KMS-key-policy.md#baseline-kms-key-policy-statements-for-use-of-sso-to-amazon-ec2-windows-instances)
+ [Baseline KMS key and IAM policy statements for use of custom workflows with IAM Identity Center](baseline-KMS-key-policy.md#baseline-kms-key-policy-statements-for-use-of-custom-workflows-with-iam-identity-center)
**Important**
Exercise caution when modifying KMS key policies for keys already in use by IAM Identity Center. While IAM Identity Center validates encryption and decryption permissions when you initially configure a KMS key, it cannot verify subsequent policy changes. Inadvertently removing necessary permissions could disrupt your IAM Identity Center's normal operation. For guidance troubleshooting common errors related to customer managed keys in IAM Identity Center, refer to [Troubleshoot customer managed keys in AWS IAM Identity Center](cmk-related-errors.md).
**Note**
IAM Identity Center and its associated Identity Store require service-level permissions to use your customer managed KMS key. This requirement extends to AWS managed applications that call IAM Identity Center service APIs using service credentials. For other use cases where IAM Identity Center service APIs are called with [forward access sessions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_forward_access_sessions.html), only the initiating IAM principal (such as an administrator) needs KMS key permissions. Notably, end users using the AWS access portal and AWS managed applications don't need direct KMS key permissions, as they are granted through the respective services.
## Step 3: Create a customer managed KMS key
You can create a customer managed key using the AWS Management Console or the AWS KMS APIs. While creating the key, add the KMS key policy statements you prepared in Step 2 into the KMS key policy. For detailed instructions, including guidance on the default KMS key policy, see the [AWS Key Management Service Developer Guide](https://docs.aws.amazon.com/kms/latest/developerguide/).
The key must meet the following requirements:
+ The KMS key must be in the same AWS Region as the IAM Identity Center instance
+ You can choose either a multi-Region or a single-Region key. However, if you plan to use IAM Identity Center in multiple AWS Regions you must create a multi-Region KMS key. You cannot convert a single-Region KMS key to a multi-Region one so we recommend starting with a multi-Region KMS key unless you have specific requirement to use a single-Region KMS key.
+ The KMS key must be a symmetric key configured for "encrypt and decrypt" usage
+ The KMS key must be in the same AWS Organizations management account as the organization instance of IAM Identity Center
**Note**
If you plan to replicate this KMS key to Regions where you want to replicate your IAM Identity Center, we recommend you first complete the setup in this section, and then follow the guidance in [Replicate IAM Identity Center to an additional Region](replicate-to-additional-region.md)
## Step 4: Configure IAM policies for cross-account use of the KMS key
Any IAM principal that uses the IAM Identity Center service APIs from another AWS account, such as IAM Identity Center delegated administrators, also needs an IAM policy statement that allows use of the KMS key through these APIs.
For each use case identified in step 1:
1. Locate the pertinent IAM policy statement templates in Baseline KMS key and IAM policy statements.
1. Copy the templates to an editor and fill in the key ARN, which is now available following the creation of the KMS key in step 3. For help finding the key ARN value, see [Where to find the required identifiers](#find-the-required-identifiers).
1. In the AWS Management Console, locate the IAM policy of the IAM principal that is associated with the use case. The location of this policy varies depending on the use case and how access is granted.
+ For access granted directly in IAM, you can locate IAM principals, such as IAM roles in the IAM console.
+ For access granted through IAM Identity Center, you can locate the pertinent permission set in the IAM Identity Center console.
1. Add the use case-specific IAM policy statements to the IAM role and save the change.
**Note**
The IAM policies described here are identity-based policies. While such policies can be attached to IAM users, groups, and roles, we recommend the use of IAM roles when possible. See the IAM user guide for more information about IAM roles versus IAM users.
### Additional configuration in some AWS managed applications
Some AWS managed applications require you to configure a service role to allow the applications to use the IAM Identity Center service APIs. If your organization uses AWS managed applications with IAM Identity Center, complete the following steps for each deployed application:
1. See the application's user guide to confirm whether the permissions have been updated to include KMS key-related permissions for use of the application with IAM Identity Center.
1. If so, update the permissions as instructed in the application's user guide to avoid disruption to the application's operations.
**Note**
If you're unsure whether an AWS managed application uses these permissions, we recommend that you check the user guides of all deployed AWS managed applications. You only need to perform this configuration once for each application that requires the configuration.
## Step 5: Configure the KMS key in IAM Identity Center
**Important**
Before proceeding with this step:
Verify that your AWS managed applications are compatible with customer managed KMS keys. For a list of compatible applications, see [AWS managed applications that you can use with IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/awsapps-that-work-with-identity-center.html). If you have incompatible applications, do not proceed.
Configure the necessary permissions for use of the KMS key. Without proper permissions, this step may fail or disrupt IAM Identity Center administration, the use of AWS managed applications, and other use cases that require KMS key permissions. For more information, see [Step 1: Identify use cases for your organization](#identify-use-cases).
Ensure that permissions for AWS managed applications and customer managed applications that call IAM Identity Center service APIs with IAM roles also allow the use of the KMS key via IAM Identity Center service APIs. Some AWS managed applications require you to configure permissions, such as a service role, for the use of these APIs. Refer to the User Guide of each deployed AWS managed application to confirm whether you need to add specific KMS key permissions.
### Specify a KMS key when enabling new organization instance of IAM Identity Center
When enabling a new organization instance of IAM Identity Center, you can specify a customer managed KMS key during setup. This ensures the instance uses your key for encryption at rest from the start. Before you start, refer to [Considerations for customer managed KMS keys and advanced KMS key policies](considerations-for-customer-managed-kms-keys-advanced.md).
1. On the **Enable IAM Identity Center** page, expand the **Encryption at rest** section.
1. Choose **Manage Encryption**.
1. Choose **Customer managed key**.
1. For **KMS key**, do one of the following:
1. Choose **Select from your KMS keys** and select the key you created from the dropdown list.
1. Choose **Enter KMS key ARN** and enter the full ARN of your key.
1. Choose **Save**.
1. Choose **Enable** to complete the setup.
For more information, see [Enable IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/enable-identity-center.html).
### Change the key configuration for an existing organization instance of IAM Identity Center
You can change your customer managed KMS key to another key or switch to an AWS owned key at any time.
------
#### [ Console ]
**To change your KMS key configuration**
1. Open the IAM Identity Center console at [ https://console.aws.amazon.com/singlesignon/](https://console.aws.amazon.com/singlesignon/).
1. In the navigation pane, choose **Settings**.
1. Choose the **Additional settings** tab.
1. Choose **Manage encryption**.
1. Choose one of the following:
1. **Customer managed key** - Select a different customer managed key from the dropdown or enter a new key ARN.
1. **AWS owned key** - Switch to the default encryption option.
1. Choose **Save**.
------
#### [ AWS CLI ]
**To change an existing organization instance of IAM Identity Center to use KMS customer managed key**
```
aws sso-admin update-instance \
--instance-arn arn:aws:sso:::instance/ssoins-1234567890abcdef \
--encryption-configuration \
KeyType=CUSTOMER_MANAGED_KEY,KmsKeyArn=arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab
```
**To change an existing organization instance of IAM Identity Center to use AWS owned key**
```
aws sso-admin update-instance \
--instance-arn arn:aws:sso:::instance/ssoins-1234567890abcdef \
--encryption-configuration KeyType=AWS_OWNED_KMS_KEY
```
------
**Customer managed key considerations**
+ Updating the KMS key configuring for IAM Identity Center operation has no effect on active user sessions in your IAM Identity Center. You can continue using the AWS access portal, the IAM Identity Center console, and IAM Identity Center service APIs during this process.
+ When switching to a new KMS key, IAM Identity Center validates that it can use the key successfully for encryption and decryption. If you made a mistake during the setup of the key policy or IAM policy, the console will show an explanatory error message, and the previous KMS key will remain in use.
+ The default annual KMS key rotation will take place automatically. You can refer to the [AWS KMS Developer Guide](https://docs.aws.amazon.com/kms/latest/developerguide/overview.html) for information on topics such as [key rotation](https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html), [monitoring AWS KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/monitoring-overview.html) and [controlling access to key deletion](https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys-adding-permission.html).
**Important**
If the customer managed KMS key in use by your IAM Identity Center instance is deleted, disabled, or inaccessible due to an incorrect KMS key policy, your workforce users and IAM Identity Center administrators will not be able to use IAM Identity Center. The loss of access can be temporary (a key policy can be corrected) or permanent (a deleted key cannot be restored) depending on the circumstances. We recommend you [restrict access](https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys-adding-permission.html) to critical operations, such as deleting or disabling the KMS key. Also, we recommend that your organization set up [AWS break-glass access procedures](https://docs.aws.amazon.com/wellarchitected/latest/devops-guidance/ag.sad.5-implement-break-glass-procedures.html) to ensure your privileged users can access AWS in the event that IAM Identity Center is inaccessible.
## Where to find the required identifiers
When configuring permissions for your customer managed KMS key, you'll need specific AWS resource identifiers to complete the key policy and IAM policy statement templates. Insert the required identifiers (for example, organization ID) and IAM principal names in the KMS key policy statements.
Below is a guide to locating these identifiers in the AWS Management Console.
**IAM Identity Center Amazon Resource Name (ARN) and Identity Store ARN**
An IAM Identity Center instance is an AWS resource with its own unique ARN such as arn:aws:sso:::instance/ssoins-1234567890abcdef. The ARN follows the pattern documented in the IAM Identity Center resource types section of the Service Authorization Reference.
Every IAM Identity Center instance has an associated Identity Store that stores the user and group identities. An Identity Store has a unique identifier called Identity Store ID (for example, d-123456789a). The ARN follows the pattern documented in the Identity Store resource types section of the [Service Authorization Reference](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamidentitycenterdirectory.html).
You can find both the ARN and the Identity Store ID values on the Settings page of your IAM Identity Center. The Identity store ID is in the Identity source tab.
**AWS Organizations ID**
If you want to specify an organization ID (for example, o-exampleorg1) in your key policy you can find its value in the Settings page of your IAM Identity Center and Organizations consoles. The ARN follows the pattern documented in the Organizations resource types section of the Service Authorization Reference.
**KMS key ARN**
You can find the ARN of a KMS key in the AWS KMS console. Choose Customer managed keys on the left, click the key whose ARN you want to look up, and you'll see it in the General configuration section. The ARN follows the pattern documented in the AWS KMS resource types section of the Service Authorization Reference.
See the AWS Key Management Service Developer Guide for more information about Key policies in AWS KMS and troubleshooting AWS KMS permissions. For more information about IAM policies and their JSON representation see the IAM User Guide.
# Baseline KMS key and IAM policy statements
The baseline KMS key and identity-based policies provided here serve as a foundation for common requirements. We also recommend that you review [Advanced KMS key policy statements](advanced-kms-policy.md) that provide more granular access controls, such as ensuring the KMS key is accessible only to a specific IAM Identity Center instance or AWS managed application. Before using advanced KMS key policy statements, review the [Considerations for choosing baseline vs. advanced KMS key policy statements](considerations-for-customer-managed-kms-keys-advanced.md#kms-policy-considerations-advanced-vs-baseline).
The following sections provide baseline policy statements for each use case. Expand the sections that match your use cases, and copy the KMS key policy statements. Then, return to [Step 2: Prepare KMS key policy statements](identity-center-customer-managed-keys.md#choose-kms-key-policy-statements).
## Baseline KMS key policy statements for use of IAM Identity Center (required)
Use the following KMS key policy statement template in [Step 2: Prepare KMS key policy statements](identity-center-customer-managed-keys.md#choose-kms-key-policy-statements) to allow IAM Identity Center, its associated Identity Store, and IAM Identity Center administrators to use the KMS key.
+ In the Principal element for administrator policy statements, specify the AWS account principals of the IAM Identity Center's administration accounts, which are the AWS organization management account and the delegated administration account, using the format "arn:aws:iam::111122223333:root".
+ In the PrincipalArn element, replace the example ARNs with the IAM Identity Center administrators' IAM roles.
You can specify either:
+ Specific IAM role ARN:
` "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/ap-southeast-2/AWSReservedSSO_permsetname_12345678"`
+ Wildcard pattern (recommended):
` "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/ap-southeast-2/AWSReservedSSO_permsetname_*"`
Using the wildcard (`*`) prevents access loss if the permission set is deleted and recreated, as Identity Center generates new unique identifiers for recreated permission sets. For an example implementation, see [Custom trust policy example](referencingpermissionsets.md#custom-trust-policy-example) .
+ In the SourceAccount element, specify the IAM Identity Center account ID.
+ Identity Store has its own service principal, `identitystore.amazonaws.com`, which must be allowed to use the KMS key.
+ These policy statements allow your IAM Identity Center instances in a specific AWS account to use the KMS key. To restrict access to a specific IAM Identity Center instance, see [Advanced KMS key policy statements](advanced-kms-policy.md). You can have only one IAM Identity Center instance for each AWS account.
KMS key policy statements
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowIAMIdentityCenterAdminToUseTheKMSKeyViaIdentityCenter",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:root",
"arn:aws:iam::444455556666:root"
]
},
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*",
"Condition": {
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_Admin_*",
"arn:aws:iam::444455556666:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_DelegatedAdmin_*"
]
},
"StringLike": {
"kms:ViaService": "sso.*.amazonaws.com",
"kms:EncryptionContext:aws:sso:instance-arn": "*"
}
}
},
{
"Sid": "AllowIAMIdentityCenterAdminToUseTheKMSKeyViaIdentityStore",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:root",
"arn:aws:iam::444455556666:root"
]
},
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*",
"Condition": {
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_Admin_*",
"arn:aws:iam::444455556666:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_DelegatedAdmin_*"
]
},
"StringLike": {
"kms:ViaService": "identitystore.*.amazonaws.com",
"kms:EncryptionContext:aws:identitystore:identitystore-arn": "*"
}
}
},
{
"Sid": "AllowIAMIdentityCenterAdminToDescribeTheKMSKey",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:root",
"arn:aws:iam::444455556666:root"
]
},
"Action": "kms:DescribeKey",
"Resource": "*",
"Condition": {
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_Admin_*",
"arn:aws:iam::444455556666:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_DelegatedAdmin_*"
]
}
}
},
{
"Sid": "AllowIAMIdentityCenterToUseTheKMSKey",
"Effect": "Allow",
"Principal": {
"Service": "sso.amazonaws.com"
},
"Action": [
"kms:Decrypt",
"kms:ReEncryptTo",
"kms:ReEncryptFrom",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*",
"Condition": {
"StringLike": {
"kms:EncryptionContext:aws:sso:instance-arn": "*"
},
"StringEquals": {
"aws:SourceAccount": "111122223333"
}
}
},
{
"Sid": "AllowIdentityStoreToUseTheKMSKey",
"Effect": "Allow",
"Principal": {
"Service": "identitystore.amazonaws.com"
},
"Action": [
"kms:Decrypt",
"kms:ReEncryptTo",
"kms:ReEncryptFrom",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*",
"Condition": {
"StringLike": {
"kms:EncryptionContext:aws:identitystore:identitystore-arn": "*"
},
"StringEquals": {
"aws:SourceAccount": "111122223333"
}
}
},
{
"Sid": "AllowIAMIdentityCenterAndIdentityStoreToDescribeKMSKey",
"Effect": "Allow",
"Principal": {
"Service": [
"identitystore.amazonaws.com",
"sso.amazonaws.com"
]
},
"Action": "kms:DescribeKey",
"Resource": "*"
}
]
}
```
Use the following IAM policy statement template in [Step 4: Configure IAM policies for cross-account use of the KMS key](identity-center-customer-managed-keys.md#configure-iam-policies-kms-key) to allow IAM Identity Center administrators to use the KMS key.
+ Replace the example key ARN in the `Resource` element with your actual KMS key ARN. For help finding the values of the referenced identifiers, see [Where to find the required identifiers](identity-center-customer-managed-keys.md#find-the-required-identifiers).
+ These IAM policy statements grant KMS key access to the IAM principal but don't restrict which AWS service can make the request. The KMS key policy typically provides these service restrictions. However, you can add encryption context to this IAM policy to limit usage to a specific Identity Center instance. For details, refer to [Advanced KMS key policy statements](advanced-kms-policy.md).
IAM Policy statements required for delegated administrators of IAM Identity Center
```
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "IAMPolicyToAllowIAMIdentityCenterAdminToUseKMSkey",
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:DescribeKey"
],
"Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
},
{
"Sid": "IAMPolicyToAllowIAMIdentityCenterAdminToListKeyAliases",
"Effect": "Allow",
"Action": "kms:ListAliases",
"Resource": "*"
}
]
}
```
## Baseline KMS key and IAM policy statements for use of AWS managed applications
**Note**
Some AWS managed applications cannot be used with IAM Identity Center configured with a customer managed KMS key. For more information, see [AWS managed applications that work with IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/awsapps-that-work-with-identity-center.html).
Use the following KMS key policy statement template in [Step 2: Prepare KMS key policy statements](identity-center-customer-managed-keys.md#choose-kms-key-policy-statements) to allow both AWS managed applications and their administrators to use the KMS key.
+ Insert your AWS Organizations ID in the PrincipalOrgID and SourceOrgId conditions. For help finding the values of the referenced identifiers, see [Where to find the required identifiers](identity-center-customer-managed-keys.md#find-the-required-identifiers).
+ These policy statements allow any of your AWS managed applications and any IAM principals (application administrators) in the AWS organization to use kms:Decrypt using IAM Identity Center and Identity Store. To restrict these policy statements to specific AWS managed applications, accounts, or IAM Identity Center instances, see [Advanced KMS key policy statements](advanced-kms-policy.md).
You can restrict access to specific application administrators by replacing ` *` with specific IAM principals. To protect against IAM role name changes when permission sets are recreated, use the approach in the [Custom trust policy example](referencingpermissionsets.md#custom-trust-policy-example). For more information, see [Considerations for choosing baseline vs. advanced KMS key policy statements](considerations-for-customer-managed-kms-keys-advanced.md#kms-policy-considerations-advanced-vs-baseline).
KMS key policy statements
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAppAdminsInTheSameOrganizationToUseTheKMSKeyViaIdentityCenter",
"Effect": "Allow",
"Principal": "*",
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "o-a1b2c3d4e5"
},
"StringLike": {
"kms:ViaService": "sso.*.amazonaws.com",
"kms:EncryptionContext:aws:sso:instance-arn": "*"
}
}
},
{
"Sid": "AllowAppAdminsInTheSameOrganizationToUseTheKMSKeyViaIdentityStore",
"Effect": "Allow",
"Principal": "*",
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "o-a1b2c3d4e5"
},
"StringLike": {
"kms:ViaService": "identitystore.*.amazonaws.com",
"kms:EncryptionContext:aws:identitystore:identitystore-arn": "*"
}
}
},
{
"Sid": "AllowManagedAppsToUseTheKMSKeyViaIdentityCenter",
"Effect": "Allow",
"Principal": "*",
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "sso.*.amazonaws.com",
"kms:EncryptionContext:aws:sso:instance-arn": "*"
},
"Bool": {
"aws:PrincipalIsAWSService": "true"
},
"StringEquals": {
"aws:SourceOrgID": "o-a1b2c3d4e5"
}
}
},
{
"Sid": "AllowManagedAppsToUseTheKMSKeyViaIdentityStore",
"Effect": "Allow",
"Principal": "*",
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "identitystore.*.amazonaws.com",
"kms:EncryptionContext:aws:identitystore:identitystore-arn": "*"
},
"Bool": {
"aws:PrincipalIsAWSService": "true"
},
"StringEquals": {
"aws:SourceOrgID": "o-a1b2c3d4e5"
}
}
}
]
}
```
Use the following IAM policy statement template in [Step 4: Configure IAM policies for cross-account use of the KMS key](identity-center-customer-managed-keys.md#configure-iam-policies-kms-key) to allow administrators of AWS managed applications to use the KMS key from a member account.
+ Replace the example ARN in the Resource element with your actual KMS key ARN. For help finding the values of the referenced identifiers, see [Where to find the required identifiers](identity-center-customer-managed-keys.md#find-the-required-identifiers).
+ Some AWS managed applications require you to configure permissions for IAM Identity Center service APIs. Before you configure a customer managed key in IAM Identity Center, verify that these permissions also allow use of the KMS key. For specific KMS key permission requirements, see the documentation for each AWS managed application you have deployed.
IAM policy statements required for administrators of AWS managed applications:
```
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "AllowIAMIdentityCenterAdminToUseTheKMSKeyViaIdentityCenterAndIdentityStore",
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"Condition": {
"StringLike": {
"kms:ViaService": [
"sso.*.amazonaws.com",
"identitystore.*.amazonaws.com"
]
}
}
}]
}
```
## Baseline KMS key statement for use of AWS Control Tower
Use the following KMS key statement templates in [Step 2: Prepare KMS key policy statements](identity-center-customer-managed-keys.md#choose-kms-key-policy-statements) to allow AWS Control Tower administrators to use the KMS key.
+ In the Principal element, specify the IAM principals used for access to the IAM Identity Center service APIs. For more information about IAM principals, see [Specifying a principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html) in the *IAM User Guide*.
+ These policy statements allow AWS Control Tower administrators to use the KMS key through any of your IAM Identity Center instances. However, AWS Control Tower restricts access to the organization instance of IAM Identity Center in the same AWS organization. Because of this restriction, there is no practical benefit to further restricting the KMS key to a specific IAM Identity Center instance as described in [Advanced KMS key policy statements](advanced-kms-policy.md) .
+ To help protect against IAM role name changes when permission sets are recreated, use the approach described in the [Custom trust policy example](referencingpermissionsets.md#custom-trust-policy-example) .
KMS key policy statement:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowControlTowerAdminRoleToUseTheKMSKeyViaIdentityCenter",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/AWSControlTowerAdmin"
},
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "sso.*.amazonaws.com",
"kms:EncryptionContext:aws:sso:instance-arn": "*"
}
}
},
{
"Sid": "AllowControlTowerAdminRoleToUseTheKMSKeyViaIdentityStore",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/AWSControlTowerAdmin"
},
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "identitystore.*.amazonaws.com",
"kms:EncryptionContext:aws:identitystore:identitystore-arn": "*"
}
}
}
]
}
```
AWS Control Tower does not support delegated administration and, therefore, you don't need to configure an IAM policy for its administrators.
**Important**
The preceding policy statement covers AWS Control Tower service-managed operations, such as automatic enrollment of accounts, where AWS Control Tower assumes the `AWSControlTowerAdmin` role. However, for customer-initiated operations such as provisioning accounts through Account Factory or calling AWS Control Tower APIs directly, AWS Control Tower uses [forward access sessions (FAS)](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_forward_access_sessions.html) and operates under the customer's own IAM role. This means the IAM role you use to initiate these operations also needs `kms:Decrypt` permissions on the customer managed KMS key.
Add the following KMS key policy statements alongside the `AWSControlTowerAdmin` statements above. Replace *MyControlTowerRole* with the ARN of the IAM role you use to interact with AWS Control Tower, such as an IAM Identity Center permission set role (for example, `AWSReservedSSO_PermissionSetName_*`), a custom IAM role for automation, or any other role used to call AWS Control Tower or AWS Service Catalog APIs.
KMS key policy statement for customer-initiated AWS Control Tower operations:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCustomerRoleToUseTheKMSKeyViaIdentityCenterForControlTower",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/MyControlTowerRole"
},
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "sso.*.amazonaws.com",
"kms:EncryptionContext:aws:sso:instance-arn": "*"
}
}
},
{
"Sid": "AllowCustomerRoleToUseTheKMSKeyViaIdentityStoreForControlTower",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/MyControlTowerRole"
},
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "identitystore.*.amazonaws.com",
"kms:EncryptionContext:aws:identitystore:identitystore-arn": "*"
}
}
}
]
}
```
## Baseline KMS key and IAM policy statements for use of IAM Identity Center to Amazon EC2 instances
Use the following KMS key policy statement template in [Step 2: Prepare KMS key policy statements](identity-center-customer-managed-keys.md#choose-kms-key-policy-statements) to allow users of single sign-on (SSO) to Amazon EC2 instances to use the KMS key across accounts.
+ Specify the IAM principals used for access to IAM Identity Center in the Principal field. For more information about IAM principals, see [Specifying a principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html) in the *IAM User Guide*.
+ This policy statement allows any of your IAM Identity Center instances to use the KMS key. To restrict access to a specific IAM Identity Center instance, see [Advanced KMS key policy statements](advanced-kms-policy.md).
+ To help protect against IAM role name changes when permission sets are recreated, use the approach described in Custom trust policy example.
KMS key policy statement
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowIAMIdentityCenterPermissionSetRoleToUseTheKMSKeyViaIdentityCenter",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_MyPermissionSet_1a2b3c4d5e6f7g8h"
},
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "sso.*.amazonaws.com",
"kms:EncryptionContext:aws:sso:instance-arn": "*"
}
}
},
{
"Sid": "AllowIAMIdentityCenterPermissionSetRoleToUseTheKMSKeyViaIdentityStore",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_MyPermissionSet_1a2b3c4d5e6f7g8h"
},
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "identitystore.*.amazonaws.com",
"kms:EncryptionContext:aws:identitystore:identitystore-arn": "*"
}
}
}
]
}
```
Use the following IAM policy statement template in [Step 4: Configure IAM policies for cross-account use of the KMS key](identity-center-customer-managed-keys.md#configure-iam-policies-kms-key) to allow SSO to EC2 instances to use the KMS key.
Attach the IAM policy statement to the existing permission set in IAM Identity Center that you are using to allow SSO access to Amazon EC2 instances. For IAM policy examples, see [Remote Desktop Protocol connections](https://docs.aws.amazon.com/systems-manager/latest/userguide/fleet-manager-remote-desktop-connections.html#rdp-iam-policy-examples) in the *AWS Systems Manager User Guide* .
+ Replace the example ARN in the Resource element with your actual KMS key ARN. For help finding the values of the referenced identifiers, see [Where to find the required identifiers](identity-center-customer-managed-keys.md#find-the-required-identifiers).
Permission set IAM policy:
```
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "IAMPolicyToAllowKMSKeyUseViaIdentityCenterAndIdentityStore",
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"Condition": {
"StringLike": {
"kms:ViaService": [
"sso.*.amazonaws.com",
"identitystore.*.amazonaws.com"
]
}
}
}]
}
```
## Baseline KMS key and IAM policy statements for use of custom workflows with IAM Identity Center
Use the following KMS key policy statement templates in [Step 2: Prepare KMS key policy statements](identity-center-customer-managed-keys.md#choose-kms-key-policy-statements) to allow custom workflows, such as customer managed applications, in the AWS Organizations management account or delegated administration account to use the KMS key. Note that SAML federation into customer managed applications does not require KMS key permissions.
+ In the Principal element, specify the IAM principals used to access IAM Identity Center service APIs. For more information about IAM principals, see [Specifying a principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html) in the *IAM User Guide*.
+ These policy statements allow your workflow to use the KMS key through any of your IAM Identity Center instances. To restrict access to a specific IAM Identity Center instance, see [Advanced KMS key policy statements](advanced-kms-policy.md).
+ To help protect against IAM role name changes when permission sets are recreated, use the approach described in the [Custom trust policy example](referencingpermissionsets.md#custom-trust-policy-example) .
KMS key policy statement:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCustomWorkflowToUseTheKMSKeyViaIdentityCenter",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/MyCustomWorkflowRole"
},
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "sso.*.amazonaws.com",
"kms:EncryptionContext:aws:sso:instance-arn": "*"
}
}
},
{
"Sid": "AllowCustomWorkflowToUseTheKMSKeyViaIdentityStore",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/MyCustomWorkflowRole"
},
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "identitystore.*.amazonaws.com",
"kms:EncryptionContext:aws:identitystore:identitystore-arn": "*"
}
}
}
]
}
```
Use the following IAM policy statement template in [Step 4: Configure IAM policies for cross-account use of the KMS key](identity-center-customer-managed-keys.md#configure-iam-policies-kms-key) to allow the IAM principal associated with the custom workflow to use the KMS key across accounts. Add the IAM policy statement to the IAM principal.
+ Replace the example ARN in the Resource element with your actual KMS key ARN. For help finding the values of the referenced identifiers, see [Where to find the required identifiers](identity-center-customer-managed-keys.md#find-the-required-identifiers).
IAM policy statement (required only for cross-account use):
```
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "AllowCustomWorkflowToUseTheKMSKeyViaIdentityCenterAndIdentityStore",
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"Condition": {
"StringLike": {
"kms:ViaService": [
"sso.*.amazonaws.com",
"identitystore.*.amazonaws.com"
]
}
}
}]
}
```
## Examples of KMS key policy statements for common use cases
### IAM Identity Center with delegated administrators and AWS managed applications
This section contains example KMS key policy statements that you can use for an IAM Identity Center instance that has delegated administrators and AWS managed applications.
**Important**
The KMS key policy statements assume that your IAM Identity Center instance is not used in any other use cases that require KMS key permissions. To confirm, you can review all [use cases](identity-center-customer-managed-keys.md#identify-use-cases). Also, to confirm if your AWS managed applications require additional configuration, see [Additional configuration in some AWS managed applications](identity-center-customer-managed-keys.md#additional-config-in-some-aws-apps)
Copy the KMS key policy statements below the table and add them to your KMS key policy. This example uses the following example values:
+ `111122223333` - Account ID of the IAM Identity Center instance
+ `444455556666` - Delegated administration account ID
+ `o-a1b2c3d4e5` - AWS organization ID
+ ` arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_Admin_*` - A wildcard pattern of an IAM Identity Center administrator's IAM role provisioned from the permission set *Admin*. Such a role contains the Region code of the primary Region (us-east-1 in this example).
+ ` arn:aws:iam::444455556666:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_DelegatedAdmin_*` - A wildcard pattern of an IAM Identity Center delegated administrator's IAM role provisioned from the permission set *DelegatedAdmin*. Such a role contains the Region code of the primary Region (us-east-1 in this example).
If the IAM role was not generated from a permission set, the IAM role will look like a regular one such as `arn:aws:iam::111122223333:role/idcadmin`.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowIAMIdentityCenterAdminToUseTheKMSKeyViaIdentityCenter",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:root",
"arn:aws:iam::444455556666:root"
]
},
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*",
"Condition": {
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_Admin_*",
"arn:aws:iam::444455556666:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_DelegatedAdmin_*"
]
},
"StringLike": {
"kms:ViaService": "sso.*.amazonaws.com",
"kms:EncryptionContext:aws:sso:instance-arn": "*"
}
}
},
{
"Sid": "AllowIAMIdentityCenterAdminToUseTheKMSKeyViaIdentityStore",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:root",
"arn:aws:iam::444455556666:root"
]
},
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*",
"Condition": {
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_Admin_*",
"arn:aws:iam::444455556666:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_DelegatedAdmin_*"
]
},
"StringLike": {
"kms:ViaService": "identitystore.*.amazonaws.com",
"kms:EncryptionContext:aws:identitystore:identitystore-arn": "*"
}
}
},
{
"Sid": "AllowIAMIdentityCenterAdminToDescribeTheKMSKey",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:root",
"arn:aws:iam::444455556666:root"
]
},
"Action": "kms:DescribeKey",
"Resource": "*",
"Condition": {
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_Admin_*",
"arn:aws:iam::444455556666:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_DelegatedAdmin_*"
]
}
}
},
{
"Sid": "AllowIAMIdentityCenterToUseTheKMSKey",
"Effect": "Allow",
"Principal": {
"Service": "sso.amazonaws.com"
},
"Action": [
"kms:Decrypt",
"kms:ReEncryptTo",
"kms:ReEncryptFrom",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*",
"Condition": {
"StringLike": {
"kms:EncryptionContext:aws:sso:instance-arn": "*"
},
"StringEquals": {
"aws:SourceAccount": "111122223333"
}
}
},
{
"Sid": "AllowIdentityStoreToUseTheKMSKey",
"Effect": "Allow",
"Principal": {
"Service": "identitystore.amazonaws.com"
},
"Action": [
"kms:Decrypt",
"kms:ReEncryptTo",
"kms:ReEncryptFrom",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*",
"Condition": {
"StringLike": {
"kms:EncryptionContext:aws:identitystore:identitystore-arn": "*"
},
"StringEquals": {
"aws:SourceAccount": "111122223333"
}
}
},
{
"Sid": "AllowIAMIdentityCenterAndIdentityStoreToDescribeKMSKey",
"Effect": "Allow",
"Principal": {
"Service": [
"identitystore.amazonaws.com",
"sso.amazonaws.com"
]
},
"Action": "kms:DescribeKey",
"Resource": "*"
},
{
"Sid": "AllowAppAdminsInTheSameOrganizationToUseTheKMSKeyViaIdentityCenter",
"Effect": "Allow",
"Principal": "*",
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "o-a1b2c3d4e5"
},
"StringLike": {
"kms:ViaService": "sso.*.amazonaws.com",
"kms:EncryptionContext:aws:sso:instance-arn": "*"
}
}
},
{
"Sid": "AllowAppAdminsInTheSameOrganizationToUseTheKMSKeyViaIdentityStore",
"Effect": "Allow",
"Principal": "*",
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "o-a1b2c3d4e5"
},
"StringLike": {
"kms:ViaService": "identitystore.*.amazonaws.com",
"kms:EncryptionContext:aws:identitystore:identitystore-arn": "*"
}
}
},
{
"Sid": "AllowManagedAppsToUseTheKMSKeyViaIdentityCenter",
"Effect": "Allow",
"Principal": "*",
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "sso.*.amazonaws.com",
"kms:EncryptionContext:aws:sso:instance-arn": "*"
},
"Bool": {
"aws:PrincipalIsAWSService": "true"
},
"StringEquals": {
"aws:SourceOrgID": "o-a1b2c3d4e5"
}
}
},
{
"Sid": "AllowManagedAppsToUseTheKMSKeyViaIdentityStore",
"Effect": "Allow",
"Principal": "*",
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "identitystore.*.amazonaws.com",
"kms:EncryptionContext:aws:identitystore:identitystore-arn": "*"
},
"Bool": {
"aws:PrincipalIsAWSService": "true"
},
"StringEquals": {
"aws:SourceOrgID": "o-a1b2c3d4e5"
}
}
}
]
}
```
# Advanced KMS key policy statements
Use advanced KMS key policy statements to implement more granular access controls for your customer managed KMS key. These policies build on the [Baseline KMS key and IAM policy statements](baseline-KMS-key-policy.md) by adding encryption context conditions and service-specific restrictions. Before deciding whether to use advanced KMS key policy statements, make sure to review the pertinent considerations.
## Using encryption context to restrict access
You can restrict KMS key usage to a specific IAM Identity Center instance by specifying an encryption context condition in your key policy statements. The baseline key policy statements already include this context with a generic value. Replace the "\$1" wildcard with a specific Identity Center instance ARN and Identity Store ARN to ensure the key works only with your intended instance. You can also add the same encryption context conditions to the IAM policy configured for cross-account use of the KMS key.
Identity Center
```
"StringEquals": {
"kms:EncryptionContext:aws:sso:instance-arn": "arn:aws:sso:::instance/ssoins-1234567890abcdef"
}
```
Identity Store
```
"StringEquals": {
"kms:EncryptionContext:aws:identitystore:identitystore-arn": "arn:aws:identitystore::111122223333:identitystore/d-1234567890"
}
```
If you need help finding these identifiers, see [Where to find the required identifiers](identity-center-customer-managed-keys.md#find-the-required-identifiers) .
**Note**
You can use a customer managed KMS key only with an organization instance of IAM Identity Center. The customer managed key must be located in the AWS organization's management account, which helps ensure the key is used with a single IAM Identity Center instance. However, the encryption context mechanism provides an independent technical safeguard of single-instance usage. You can also use the `aws:SourceArn` condition key in the KMS key policy statements intended for the Identity Center and Identity Store service principals.
### Considerations for implementing encryption context conditions
Before implementing encryption context conditions, review these requirements:
+ **DescribeKey action.** The encryption context cannot be applied to the "kms:DescribeKey" action, which can be used by IAM Identity Center administrators. When configuring your KMS key policy, exclude the encryption context for this specific action to ensure proper operations of your IAM Identity Center instance.
+ **New instance setup.** If you're enabling a new IAM Identity Center instance with a customer managed KMS key, see [Considerations for customer managed KMS keys and advanced KMS key policies](considerations-for-customer-managed-kms-keys-advanced.md).
+ **Identity source changes.** When changing your identity source to or from Active Directory, the encryption context requires special attention. See [Considerations for changing your identity source](manage-your-identity-source-considerations.md).
## Policy templates
Choose from these advanced policy templates based on your security requirements. Balance granular access controls with the administrative overhead they introduce.
Topics covered here:
+ [KMS policy statements for read-only use of a specific IAM Identity Center instance](#kms-policy-statements-for-read-only-use-of-a-specific-iam-identity-center-instance). This section demonstrates the use of the encryption context for read-only access to IAM Identity Center.
+ [Refined KMS key policy statements for use of AWS managed applications](#refined-kms-key-policy-statements-for-use-of-aws-managed-applications). This section demonstrates how to refine the KMS key policies for AWS managed applications using the encryption context and application information, such as the application service principal, application ARN and AWS account ID.
## KMS policy statements for read-only use of a specific IAM Identity Center instance
This policy allows [security auditors](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SecurityAudit.html) and other personnel who need only read access to IAM Identity Center to use the KMS key.
To use this policy:
1. Replace the example read-only administrator IAM principals with your actual administrator IAM principals
1. Replace the example IAM Identity Center instance ARN with your actual instance ARN
1. Replace the example Identity Store ARN with your actual Identity Store ARN
1. If using [delegated administration](https://docs.aws.amazon.com/singlesignon/latest/userguide/delegated-admin.html), see [Step 4: Configure IAM policies for cross-account use of the KMS key](identity-center-customer-managed-keys.md#configure-iam-policies-kms-key)
If you need help finding the values of these identifiers, see [Where to find the required identifiers](identity-center-customer-managed-keys.md#find-the-required-identifiers) .
Once you have updated the template with your values, return to [Step 2: Prepare KMS key policy statements](identity-center-customer-managed-keys.md#choose-kms-key-policy-statements) to prepare additional KMS key policy statements, as needed.
The kms:Decrypt action alone does not restrict access to read-only operations. The IAM policy must enforce read-only access on IAM Identity Center service APIs.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowReadOnlyAccessToIdentityCenterAPI",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/MyAdminRole"
},
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "sso.*.amazonaws.com",
"kms:EncryptionContext:aws:sso:instance-arn": "arn:aws:sso:::instance/ssoins-1234567890abcdef"
}
}
},
{
"Sid": "AllowReadOnlyAccessToIdentityStoreAPI",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/MyAdminRole"
},
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "identitystore.*.amazonaws.com",
"kms:EncryptionContext:aws:identitystore:identitystore-arn": "arn:aws:identitystore::111122223333:identitystore/d-1234567890"
}
}
}
]
}
```
## Refined KMS key policy statements for use of AWS managed applications
These policy templates provide more granular control over which AWS managed applications can use your KMS key.
**Note**
Some AWS managed applications cannot be used with IAM Identity Center configured with a customer managed KMS key. See [AWS managed applications that you can use with IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/awsapps-that-work-with-identity-center.html).
The [Baseline KMS key and IAM policy statements for use of AWS managed applications](baseline-KMS-key-policy.md#baseline-kms-key-policy-statements-for-use-of-aws-managed-applications) allow any AWS managed application from any account in the same AWS organization to use the KMS key. Use these refined policies to restrict access by:
+ Application service principal
+ Application instance ARNs
+ AWS account IDs
+ Encryption context for specific IAM Identity Center instances
**Note**
A service principal is a unique identifier for an AWS service, typically formatted as servicename.amazonaws.com (for example, elasticmapreduce.amazonaws.com for Amazon EMR).
### Restrict by account
This KMS key policy statement template allows an AWS managed application in specific AWS accounts to use the KMS key using a specific IAM Identity Center instance.
To use this policy:
1. Replace the example service principal with your actual application service principal
1. Replace the example account IDs with the actual account IDs where your AWS managed applications are deployed
1. Replace the example Identity Store ARN with your actual Identity Store ARN
1. Replace the example IAM Identity Center instance ARN with your actual instance ARN
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowServiceInSpecificAccountsToUseTheKMSKeyViaIdentityCenter",
"Effect": "Allow",
"Principal": {
"Service": "myapp.amazonaws.com"
},
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": [
"111122223333",
"444455556666"
]
},
"StringLike": {
"kms:ViaService": "sso.*.amazonaws.com",
"kms:EncryptionContext:aws:sso:instance-arn": "arn:aws:sso:::instance/ssoins-1234567890abcdef"
},
"Bool": {
"aws:PrincipalIsAWSService": "true"
}
}
},
{
"Sid": "AllowServiceInSpecificAccountsToUseTheKMSKeyViaIdentityStore",
"Effect": "Allow",
"Principal": {
"Service": "myapp.amazonaws.com"
},
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": [
"111122223333",
"444455556666"
]
},
"StringLike": {
"kms:ViaService": "identitystore.*.amazonaws.com",
"kms:EncryptionContext:aws:identitystore:identitystore-arn": "arn:aws:identitystore::111122223333:identitystore/d-1234567890"
},
"Bool": {
"aws:PrincipalIsAWSService": "true"
}
}
}
]
}
```
### Restrict by application instance
This KMS key policy statement template allows a specific AWS managed application instance to use the KMS key using a specific IAM Identity Center instance.
To use this policy:
1. Replace the example service principal with your actual application service principal
1. Replace the example application ARN with your actual application instance ARN
1. Replace the example Identity Store ARN with your actual Identity Store ARN
1. Replace the example IAM Identity Center instance ARN with your actual instance ARN
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSpecificAppInstanceToUseTheKMSKeyViaIdentityCenter",
"Effect": "Allow",
"Principal": {
"Service": "myapp.amazonaws.com"
},
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceARN": "arn:aws:myapp:us-east-1:111122223333:application/my-application"
},
"StringLike": {
"kms:ViaService": "sso.*.amazonaws.com",
"kms:EncryptionContext:aws:sso:instance-arn": "arn:aws:sso:::instance/ssoins-1234567890abcdef"
},
"Bool": {
"aws:PrincipalIsAWSService": "true"
}
}
},
{
"Sid": "AllowSpecificAppInstanceToUseTheKMSKeyViaIdentityStore",
"Effect": "Allow",
"Principal": {
"Service": "myapp.amazonaws.com"
},
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceARN": "arn:aws:myapp:us-east-1:111122223333:application/my-application"
},
"StringLike": {
"kms:ViaService": "identitystore.*.amazonaws.com",
"kms:EncryptionContext:aws:identitystore:identitystore-arn": "arn:aws:identitystore::111122223333:identitystore/d-1234567890"
},
"Bool": {
"aws:PrincipalIsAWSService": "true"
}
}
}
]
}
```
# Considerations for customer managed KMS keys and advanced KMS key policies
When implementing customer managed KMS keys with IAM Identity Center, consider these factors that affect setup, security, and ongoing maintenance of your encryption configuration.
## Considerations for choosing baseline vs. advanced KMS key policy statements
When deciding whether to make the KMS key permissions more specific using [Advanced KMS key policy statements](advanced-kms-policy.md), consider the management overhead and the security needs of your organization. More specific policy statements provide finer-grained control over who can use the key and for what purposes; however, they require ongoing maintenance as your IAM Identity Center configuration evolves. For example, if you restrict the use of the KMS key to specific AWS managed application deployments, you'll need to update the key policy whenever your organization wants to deploy or undeploy an application. Less restrictive policies reduce administrative burden but may grant broader permissions than necessary for your security requirements.
## Considerations for enabling a new IAM Identity Center instance with a customer managed KMS key
The considerations here apply if you're using the encryption context as described in [Advanced KMS key policy statements](advanced-kms-policy.md) to restrict use of the KMS key to a specific IAM Identity Center instance.
When enabling a new IAM Identity Center instance with a customer managed KMS key, the IAM Identity Center and Identity Store ARNs are not available until after setup. You have the following options:
+ Use generic ARN patterns temporarily, and then replace with full ARNs after the instance is enabled. Remember to switch between StringEquals and StringLike operators as needed.
+ For IAM Identity Center SPN: "arn:\$1\$1Partition\$1:sso:::instance/\$1".
+ For Identity Store SPN: "arn:\$1\$1Partition\$1:identitystore::\$1\$1Account\$1:identitystore/\$1".
+ Use "purpose:KEY\$1CONFIGURATION" in the ARN temporarily. This works only for instance enablement and must be replaced with the actual ARN for your IAM Identity Center instance to function normally. The advantage of this approach is that you cannot forget to replace this after the instance is enabled.
+ For IAM Identity Center SPN, use: "arn:\$1\$1Partition\$1:sso:::instance/purpose:KEY\$1CONFIGURATION"
+ For Identity Store SPN, use: "arn:\$1\$1Partition\$1:identitystore::\$1\$1Account\$1:identitystore/purpose:KEY\$1CONFIGURATION"
**Important**
Don't apply this configuration to a KMS key already in use in an existing IAM Identity Center instance, as it may disrupt its normal operations.
+ Omit the encryption context condition from the KMS key policy until after the instance is enabled.