AWS KMS Key Policy Management in AWS KMS (2024)

Table of Contents
What is an AWS KMS key? How To Manage Access To Your KMS Key The key policy applied to a KMS key created through the AWS KMS API The key policy applied to a KMS key created through the AWS Management Console Sources:

What is an AWS KMS key?

In security, a KMS key is what you use to encrypt all other encryption keys in your system. KMS key is a logical representation of a cryptographic key. They are the primary resources in AWS KMS. The AWS KMS Key contains the key material used to encrypt and decrypt data. It also contains metadata such as the key ID, creation date, description, and key state.

You can start using AWS KMS through the web console or via API. There are two types of AWS KMS keys that you can create in AWS KMS: symmetric encryption keys and asymmetric keys.

  • A symmetric encryption keys is a 256-bit key that is used for standard encryption and decryption.
  • An asymmetric keys, on the other hand, is an RSA key pair that is used for encryption and decryption or signing and verification, but not both, or an elliptic curve (ECC) key pair that is used for signing and verification.

See Also
How to Get AWS Access Key ID and Secret Access KeyUnderstanding AWS KMS - Key Policies vs Grants

Likewise, AWS breaks down KMS key ownership into three categories: customer-managed keys, AWS managed keys, and AWS owned keys. Generally, when you create a KMS key, AWS KMS provides the key material for it; But if you require to have full control of your keys, customer-managed keys allow you to upload your own key material into AWS. The level of control you have varies for each category, with customer-managed keys being the most unrestricted, to AWS owned keys being the most restrictive.

How To Manage Access To Your KMS Key

To protect your KMS key from unauthorized access, you must attach a key policy to it. Key policies help protect your KMS key by defining specific requirements that must be fulfilled before an action is permitted. The policy structure is similar to IAM policies, and it also uses JSON formatting. Here is a basic example of a key policy:

AWS KMS Key Policy Management in AWS KMS (2)

To create your key policy, you must first indicate the policy version you will be using. Then in the statement body, you must include the following parameters:

  • Effect – indicates whether the policy will allow or deny actions
  • Principal – the identity to which the policy will grant or deny permissions to
  • Action – the permissions that you want to grant/deny to the principal
  • Resource – the list of objects that your policy will be applied to

You can also include the following optional parameters in your statement body:

  • Sid – a unique identifier for your policy
  • Conditions – conditions that need to be met before your policy takes effect

The AWS KMS documentation has a list of all accepted values for the policy body, along with some examples to guide you through.

The key policy applied to a KMS key created through the AWS KMS API

When you create a KMS key using the API and you do not provide a key policy in the parameters, AWS automatically creates and assigns a default key policy for your KMS key. This default key policy has one policy statement that gives the AWS root account that owns the KMS key full access to the KMS key and enables IAM policies in the account to allow access to the KMS key. If later on, you decide to change the contents of the key policy, you need to create a new policy and attach it to your KMS key to replace the old one.

The key policy applied to a KMS key created through the AWS Management Console

When you create a KMS key with the AWS Management Console, you can choose the IAM users, IAM roles, and AWS accounts that should be given access to the KMS key, and these will be added to a default key policy that the console creates for you. With the console, you can view or modify your key policies. The default key policy gives the AWS root account that owns the KMS key full access to the KMS key. You can also specify in the default key policy which IAM users and roles will be key administrators and key users, which have different respective policy statements.

Note: If you are studying for the AWS Certified Security Specialty exam, we highly recommend that you take our AWS Certified Security – Specialty Practice Examsand read our Security Specialty exam study guide.

Sources:

https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
https://docs.aws.amazon.com/kms/latest/developerguide/control-access-overview.html#managing-access

AWS KMS Key Policy Management in AWS KMS (2024)
Top Articles
How India’s PIN Code Works? - Know Complete Info
The Cheapest Grocery Stores in America 2024
Katie Pavlich Bikini Photos
Gamevault Agent
Hocus Pocus Showtimes Near Harkins Theatres Yuma Palms 14
Free Atm For Emerald Card Near Me
Craigslist Mexico Cancun
Hendersonville (Tennessee) – Travel guide at Wikivoyage
Doby's Funeral Home Obituaries
Vardis Olive Garden (Georgioupolis, Kreta) ✈️ inkl. Flug buchen
Select Truck Greensboro
Things To Do In Atlanta Tomorrow Night
How To Cut Eelgrass Grounded
Pac Man Deviantart
Alexander Funeral Home Gallatin Obituaries
Craigslist In Flagstaff
Shasta County Most Wanted 2022
Energy Healing Conference Utah
Testberichte zu E-Bikes & Fahrrädern von PROPHETE.
Aaa Saugus Ma Appointment
Geometry Review Quiz 5 Answer Key
Walgreens Alma School And Dynamite
Bible Gateway passage: Revelation 3 - New Living Translation
Yisd Home Access Center
Home
Shadbase Get Out Of Jail
Gina Wilson Angle Addition Postulate
Celina Powell Lil Meech Video: A Controversial Encounter Shakes Social Media - Video Reddit Trend
Walmart Pharmacy Near Me Open
Dmv In Anoka
A Christmas Horse - Alison Senxation
Ou Football Brainiacs
Access a Shared Resource | Computing for Arts + Sciences
Pixel Combat Unblocked
Cvs Sport Physicals
Mercedes W204 Belt Diagram
Rogold Extension
'Conan Exiles' 3.0 Guide: How To Unlock Spells And Sorcery
Teenbeautyfitness
Weekly Math Review Q4 3
Facebook Marketplace Marrero La
Nobodyhome.tv Reddit
Topos De Bolos Engraçados
Gregory (Five Nights at Freddy's)
Grand Valley State University Library Hours
Holzer Athena Portal
Hampton In And Suites Near Me
Stoughton Commuter Rail Schedule
Bedbathandbeyond Flemington Nj
Free Carnival-themed Google Slides & PowerPoint templates
Otter Bustr
Selly Medaline
Latest Posts
All You Need To Know About Bank Statement Analysis Tools
Fundamentals: What is a DEX aggregator?
Article information

Author: Sen. Emmett Berge

Last Updated:

Views: 5752

Rating: 5 / 5 (80 voted)

Reviews: 87% of readers found this page helpful

Author information

Name: Sen. Emmett Berge

Birthday: 1993-06-17

Address: 787 Elvis Divide, Port Brice, OH 24507-6802

Phone: +9779049645255

Job: Senior Healthcare Specialist

Hobby: Cycling, Model building, Kitesurfing, Origami, Lapidary, Dance, Basketball

Introduction: My name is Sen. Emmett Berge, I am a funny, vast, charming, courageous, enthusiastic, jolly, famous person who loves writing and wants to share my knowledge and understanding with you.