KMS customer-managed key policy

The following is a valid key policy for use with the solution when using the Personalize KMS Key ARN parameter.

Warning

If KMS is required, ensure the Personalize KMS Key ARN is provided when the stack is created. Do not update the stack to allow KMS. Do not remove the key after it is set. Doing either will result in resources being unable to update due to different security configurations.


{
    "Version": "2012-10-17",
    "Id": "PersonalizePolicy",
    "Statement": [
        {
            "Sid": "Allow use for the Personalize service",
            "Effect": "Allow",
            "Principal": {
                "Service": "personalize.amazonaws.com"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:GenerateDataKey",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<account_id>:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        }
    ]
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Importing existing resources

Developer guide