AWS KMS (IAM)

aws security

AWS Key Management Service (KMS) is a managed service for creating and controlling encryption keys used to protect data across AWS services and applications.

Common permissions

kms:ListKeyskms:DescribeKeykms:ListAliaseskms:CreateKeykms:CreateAliaskms:TagResourcekms:GetKeyPolicykms:ListResourceTags

Least-privilege example

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:ListKeys",
        "kms:DescribeKey",
        "kms:ListAliases",
        "kms:CreateKey",
        "kms:CreateAlias",
        "kms:TagResource",
        "kms:GetKeyPolicy",
        "kms:ListResourceTags"
      ],
      "Resource": "*"
    }
  ]
}

Warnings

Avoid kms:* — grants full control including key deletion and policy modification
Avoid kms:PutKeyPolicy unless needed — can change key permissions and lock out users

Resources

AWS referenceservicereference.us-east-1.amazonaws.com/v1/kms/kms.json ↗

API

full doc /v1/iam/kms