Controlling access to grants

You can control access to the operations that create and manage grants in key policies, IAM policies, and in grants. Principals who get CreateGrant permission from a grant have more limited grant permissions.

API operation	Key policy or IAM policy	Grant
CreateGrant	✓	✓
ListGrants	✓	-
ListRetirableGrants	✓	-
Retire Grants	(Limited. See Retiring and revoking grants)	✓
RevokeGrant	✓	-

When you use a key policy or IAM policy to control access to operations that create and manage grants, you can use one or more of the following policy conditions to limit the permission. AWS KMS supports all of the following grant-related condition keys. For detailed information and examples, see AWS KMS condition keys.

kms:GrantConstraintType: Allows principals to create a grant only when the grant includes the specified grant constraint.
kms:GrantIsForAWSResource: Allows principals to call CreateGrant, ListGrants, or RevokeGrant only when an AWS service that is integrated with AWS KMS sends the request on the principal's behalf.
kms:GrantOperations: Allows principals to create a grant, but limits the grant to the specified operations.
kms:GranteePrincipal: Allows principals to create a grant only for the specified grantee principal.
kms:RetiringPrincipal: Allows principals to create a grant only when the grant specifies a particular retiring principal.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Best practices

Creating grants