# Determining access to AWS KMS keys
To determine the full extent of who or what currently has access to an AWS KMS key, you must examine the key policy of the KMS key, all [grants](grants.md) that apply to the KMS key, and potentially all AWS Identity and Access Management (IAM) policies. You might do this to determine the scope of potential usage of a KMS key, or to help you meet compliance or auditing requirements. The following topics can help you generate a complete list of the AWS principals (identities) that currently have access to a KMS key.
**Topics**
+ [
# Examining the key policy
](determining-access-key-policy.md)
+ [
# Examining IAM policies
](determining-access-iam-policies.md)
+ [
# Examining grants
](determining-access-grants.md)
# Examining the key policy
[Key policies](key-policies.md) are the primary way to control access to KMS keys. Every KMS key has exactly one key policy.
When a key policy consists of or includes the [default key policy](key-policy-default.md#key-policy-default-allow-root-enable-iam), the key policy allows IAM administrators in the account to use IAM policies to control access to the KMS key. Also, if the key policy gives [another AWS account](key-policy-modifying-external-accounts.md) permission to use the KMS key, the IAM administrators in the external account can use IAM policies to delegate those permissions. To determine the complete list of principals that can access the KMS key, [examine the IAM policies](determining-access-iam-policies.md).
To view the key policy of an AWS KMS [ customer managed key](concepts.md#customer-mgn-key) or [AWS managed key](concepts.md#aws-managed-key) in your account, use the AWS Management Console or the [GetKeyPolicy](https://docs.aws.amazon.com/kms/latest/APIReference/API_GetKeyPolicy.html) operation in the AWS KMS API. To view the key policy, you must have `kms:GetKeyPolicy` permissions for the KMS key. For instructions for viewing the key policy for a KMS key, see [View a key policies](key-policy-viewing.md).
Examine the key policy document and take note of all principals specified in each policy statement's `Principal` element. In a policy statement with an `Allow` effect, the IAM users, IAM roles, and AWS accounts in the `Principal` element have access to this KMS key.
**Note**
Do not set the Principal to an asterisk (\$1) in any key policy statement that allows permissions unless you use [conditions](policy-conditions.md) to limit the key policy. An asterisk gives every identity in every AWS account permission to use the KMS key, unless another policy statement explicitly denies it. Users in other AWS accounts can use your KMS key whenever they have corresponding permissions in their own account.
The following examples use the policy statements found in the [default key policy](key-policy-default.md) to demonstrate how to do this.
**Example Policy statement 1**
```
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::111122223333:root"},
"Action": "kms:*",
"Resource": "*"
}
```
In policy statement 1, `arn:aws:iam::111122223333:root` is an [AWS account principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-accounts) that refers to the AWS account 111122223333. (It is not the account root user.) By default, a policy statement like this one is included in the key policy document when you create a new KMS key with the AWS Management Console, or create a new KMS key programmatically but do not provide a key policy.
A key policy document with a statement that allows access to the AWS account enables [IAM policies in the account to allow access to the KMS key](key-policy-default.md#key-policy-default-allow-root-enable-iam). This means that users and roles in the account might have access to the KMS key even if they are not explicitly listed as principals in the key policy document. Take care to [examine all IAM policies](determining-access-iam-policies.md) in all AWS accounts listed as principals to determine whether they allow access to this KMS key.
**Example Policy statement 2**
```
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::111122223333:role/KMSKeyAdmins"},
"Action": [
"kms:Describe*",
"kms:Put*",
"kms:Create*",
"kms:Update*",
"kms:Enable*",
"kms:Revoke*",
"kms:List*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
}
```
In policy statement 2, `arn:aws:iam::111122223333:role/KMSKeyAdmins` refers to the IAM role named KMSKeyAdmins in AWS account 111122223333. Users who are authorized to assume this role are allowed to perform the actions listed in the policy statement, which are the administrative actions for managing a KMS key.
**Example Policy statement 3**
```
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::111122223333:role/EncryptionApp"},
"Action": [
"kms:DescribeKey",
"kms:GenerateDataKey*",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:Decrypt"
],
"Resource": "*"
}
```
In policy statement 3, `arn:aws:iam::111122223333:role/EncryptionApp` refers to the IAM role named EncryptionApp in AWS account 111122223333. Principals who are authorized to assume this role are allowed to perform the actions listed in the policy statement, which include the [cryptographic operations](kms-cryptography.md#cryptographic-operations) for a symmetric encryption KMS key.
**Example Policy statement 4**
```
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::111122223333:role/EncryptionApp"},
"Action": [
"kms:ListGrants",
"kms:CreateGrant",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {"Bool": {"kms:GrantIsForAWSResource": true}}
}
```
In policy statement 4, `arn:aws:iam::111122223333:role/EncryptionApp` refers to the IAM role named EncryptionApp in AWS account 111122223333. Principals who are authorized assume this role are allowed to perform the actions listed in the policy statement. These actions, when combined with the actions allowed in **Example policy statement 3**, are those necessary to delegate use of the KMS key to most [AWS services that integrate with AWS KMS](service-integration.md), specifically the services that use [grants](grants.md). The [kms:GrantIsForAWSResource](conditions-kms.md#conditions-kms-grant-is-for-aws-resource) value in the `Condition` element ensures that the delegation is allowed only when the delegate is an AWS service that integrates with AWS KMS and uses grants for authorization.
To learn all the different ways you can specify a principal in a key policy document, see [Specifying a Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#Principal_specifying) in the *IAM User Guide*.
To learn more about AWS KMS key policies, see [Key policies in AWS KMS](key-policies.md).
# Examining IAM policies
In addition to the key policy and grants, you can also use [IAM policies](iam-policies.md) to allow access to a KMS key. For more information about how IAM policies and key policies work together, see [Troubleshooting AWS KMS permissions](policy-evaluation.md).
To determine which principals currently have access to a KMS key through IAM policies, you can use the browser-based [IAM Policy Simulator](https://policysim.aws.amazon.com/) tool, or you can make requests to the IAM API.
**Contents**
+ [
## Examining IAM policies with the IAM policy simulator
](#determining-access-iam-policy-simulator)
+ [
## Examining IAM policies with the IAM API
](#determining-access-iam-api)
## Examining IAM policies with the IAM policy simulator
The IAM Policy Simulator can help you learn which principals have access to a KMS key through an IAM policy.
**To use the IAM policy simulator to determine access to a KMS key**
1. Sign in to the AWS Management Console and then open the IAM Policy Simulator at [https://policysim.aws.amazon.com/](https://policysim.aws.amazon.com/).
1. In the **Users, Groups, and Roles** pane, choose the user, group, or role whose policies you want to simulate.
1. (Optional) Clear the check box next to any policies that you want to omit from the simulation. To simulate all policies, leave all policies selected.
1. In the **Policy Simulator** pane, do the following:
1. For **Select service**, choose **Key Management Service**.
1. To simulate specific AWS KMS actions, for **Select actions**, choose the actions to simulate. To simulate all AWS KMS actions, choose **Select All**.
1. (Optional) The Policy Simulator simulates access to all KMS keys by default. To simulate access to a specific KMS key, choose **Simulation Settings**and then type the Amazon Resource Name (ARN) of the KMS key to simulate.
1. Choose **Run Simulation**.
You can view the results of the simulation in the **Results** section. Repeat steps 2 through 6 for every user, group, and role in the AWS account.
## Examining IAM policies with the IAM API
You can use the IAM API to examine IAM policies programmatically. The following steps provide a general overview of how to do this:
1. For each AWS account listed as a principal in the key policy (that is, each [AWS account principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-accounts) specified in this format: `"Principal": {"AWS": "arn:aws:iam::111122223333:root"}`), use the [ListUsers](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListUsers.html) and [ListRoles](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListRoles.html) operations in the IAM API to get all users and roles in the account.
1. For each user and role in the list, use the [SimulatePrincipalPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_SimulatePrincipalPolicy.html) operation in the IAM API, passing in the following parameters:
+ For `PolicySourceArn`, specify the Amazon Resource Name (ARN) of a user or role from your list. You can specify only one `PolicySourceArn` for each `SimulatePrincipalPolicy` request, so you must call this operation multiple times, once for each user and role in your list.
+ For the `ActionNames` list, specify every AWS KMS API action to simulate. To simulate all AWS KMS API actions, use `kms:*`. To test individual AWS KMS API actions, precede each API action with "`kms:`", for example "`kms:ListKeys`". For a complete list of AWS KMS API actions, see [Actions](https://docs.aws.amazon.com/kms/latest/APIReference/API_Operations.html) in the *AWS Key Management Service API Reference*.
+ (Optional) To determine whether the users or roles have access to specific KMS keys, use the `ResourceArns` parameter to specify a list of the Amazon Resource Names (ARNs) of the KMS keys. To determine whether the users or roles have access to any KMS key, omit the `ResourceArns` parameter.
IAM responds to each `SimulatePrincipalPolicy` request with an evaluation decision: `allowed`, `explicitDeny`, or `implicitDeny`. For each response that contains an evaluation decision of `allowed`, the response includes the name of the specific AWS KMS API operation that is allowed. It also includes the ARN of the KMS key that was used in the evaluation, if any.
# Examining grants
Grants are advanced mechanisms for specifying permissions that you or an AWS service integrated with AWS KMS can use to specify how and when a KMS key can be used. Grants are attached to a KMS key, and each grant contains the principal who receives permission to use the KMS key and a list of operations that are allowed. Grants are an alternative to the key policy, and are useful for specific use cases. For more information, see [Grants in AWS KMS](grants.md).
To get a list of grants for a KMS key, use the AWS KMS [ListGrants](https://docs.aws.amazon.com/kms/latest/APIReference/API_ListGrants.html) operation. You can examine the grants for a KMS key to determine who or what currently has access to use the KMS key via those grants. For example, the following is a JSON representation of a grant that was obtained from the [list-grants](https://docs.aws.amazon.com/cli/latest/reference/kms/list-grants.html) command in the AWS CLI.
```
{"Grants": [{
"Operations": ["Decrypt"],
"KeyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"Name": "0d8aa621-43ef-4657-b29c-3752c41dc132",
"RetiringPrincipal": "arn:aws:iam::123456789012:root",
"GranteePrincipal": "arn:aws:sts::111122223333:assumed-role/aws:ec2-infrastructure/i-5d476fab",
"GrantId": "dc716f53c93acacf291b1540de3e5a232b76256c83b2ecb22cdefa26576a2d3e",
"IssuingAccount": "arn:aws:iam::111122223333:root",
"CreationDate": 1.444151834E9,
"Constraints": {"EncryptionContextSubset": {"aws:ebs:id": "vol-5cccfb4e"}}
}]}
```
To find out who or what has access to use the KMS key, look for the `"GranteePrincipal"` element. In the preceding example, the grantee principal is an assumed role user that is associated with the EC2 instance i-5d476fab. The EC2 infrastructure uses this role to attach the encrypted EBS volume vol-5cccfb4e to the instance. In this case, the EC2 infrastructure role has permission to use the KMS key because you previously created an encrypted EBS volume that is protected by this KMS key. You then attached the volume to an EC2 instance.
The following is another example of a JSON representation of a grant that was obtained from the [list-grants](https://docs.aws.amazon.com/cli/latest/reference/kms/list-grants.html) command in the AWS CLI. In the following example, the grantee principal is another AWS account.
```
{"Grants": [{
"Operations": ["Encrypt"],
"KeyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"Name": "",
"GranteePrincipal": "arn:aws:iam::444455556666:root",
"GrantId": "f271e8328717f8bde5d03f4981f06a6b3fc18bcae2da12ac38bd9186e7925d11",
"IssuingAccount": "arn:aws:iam::111122223333:root",
"CreationDate": 1.444151269E9
}]}
```