# Identity and access management for AWS Key Management Service
AWS Identity and Access Management (IAM) helps you securely control access to AWS resources. Administrators control who can be *authenticated* (signed in) and *authorized* (have permissions) to use AWS KMS resources. For more information, see [Using IAM policies with AWS KMS](iam-policies.md).
[Key policies](key-policies.md) are the primary mechanism for controlling access to KMS keys in AWS KMS. Every KMS key must have a key policy. You can also use [IAM policies](iam-policies.md) and [grants](grants.md), along with key policies, to control access to your KMS keys. For more information, see [KMS key access and permissions](control-access.md).
If you are using an Amazon Virtual Private Cloud (Amazon VPC), you can [create an interface VPC endpoint](kms-vpc-endpoint.md) to AWS KMS powered by [AWS PrivateLink](https://docs.aws.amazon.com/vpc/latest/privatelink/). You can also use VPC endpoint policies to determine which principals can access your AWS KMS endpoint, which API calls they can make, and which KMS key they can access.
**Topics**
+ [AWS managed policies for AWS Key Management Service](security-iam-awsmanpol.md)
+ [Using service-linked roles for AWS KMS](using-service-linked-roles.md)
# AWS managed policies for AWS Key Management Service
An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.
Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining [ customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies) that are specific to your use cases.
You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.
For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.
## AWS managed policy: AWSKeyManagementServicePowerUser
You can attach the `AWSKeyManagementServicePowerUser` policy to your IAM identities.
You can use the `AWSKeyManagementServicePowerUser` managed policy to give IAM principals in your account the permissions of a power user. Power users can create KMS keys, use and manage the KMS keys they create, and view all KMS keys and IAM identities. Principals who have the `AWSKeyManagementServicePowerUser` managed policy can also get permissions from other sources, including key policies, other IAM policies, and grants.
`AWSKeyManagementServicePowerUser` is an AWS managed IAM policy. For more information about AWS managed policies, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.
**Note**
Permissions in this policy that are specific to a KMS key, such as `kms:TagResource` and `kms:GetKeyRotationStatus`, are effective only when the key policy for that KMS key [explicitly allows the AWS account to use IAM policies](key-policy-default.md#key-policy-default-allow-root-enable-iam) to control access to the key. To determine whether a permission is specific to a KMS key, see [AWS KMS permissions](kms-api-permissions-reference.md) and look for a value of **KMS key** in the **Resources** column.
This policy gives a power user permissions on any KMS key with a key policy that permits the operation. For cross-account permissions, such as `kms:DescribeKey` and `kms:ListGrants`, this might include KMS keys in untrusted AWS accounts. For details, see [Best practices for IAM policies](iam-policies-best-practices.md) and [Allowing users in other accounts to use a KMS key](key-policy-modifying-external-accounts.md). To determine whether a permission is valid on KMS keys in other accounts, see [AWS KMS permissions](kms-api-permissions-reference.md) and look for a value of **Yes** in the **Cross-account use** column.
To allow principals to view the AWS KMS console without errors, the principal needs the [tag:GetResources](https://docs.aws.amazon.com/resourcegroupstagging/latest/APIReference/API_GetResources.html) permission, which is not included in the `AWSKeyManagementServicePowerUser` policy. You can allow this permission in a separate IAM policy.
The [AWSKeyManagementServicePowerUser](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AWSKeyManagementServicePowerUser) managed IAM policy includes the following permissions.
+ Allows principals to create KMS keys. Because this process includes setting the key policy, power users can give themselves and others permission to use and manage the KMS keys they create.
+ Allows principals to create and delete [aliases](kms-alias.md) and [tags](tagging-keys.md) on all KMS keys. Changing a tag or alias can allow or deny permission to use and manage the KMS key. For details, see [ABAC for AWS KMS](abac.md).
+ Allows principals to get detailed information about all KMS keys, including their key ARN, cryptographic configuration, key policy, aliases, tags, and [rotation status](rotate-keys.md).
+ Allows principals to list IAM users, groups, and roles.
+ This policy does not allow principals to use or manage KMS keys that they didn't create. However, they can change aliases and tags on all KMS keys, which might allow or deny them permission to use or manage a KMS key.
To view the permissions for this policy, see [AWSKeyManagementServicePowerUser](https://docs.aws.amazon.com//aws-managed-policy/latest/reference/AWSKeyManagementServicePowerUser.html) in the AWS Managed Policy Reference.
## AWS managed policy: AWSServiceRoleForKeyManagementServiceCustomKeyStores
You can't attach `AWSServiceRoleForKeyManagementServiceCustomKeyStores` to your IAM entities. This policy is attached to a service-linked role that gives AWS KMS permission to view the AWS CloudHSM clusters associated with your AWS CloudHSM key store and create the network to support a connection between your custom key store and its AWS CloudHSM cluster. For more information, see [Authorizing AWS KMS to manage AWS CloudHSM and Amazon EC2 resources](authorize-kms.md).
## AWS managed policy: AWSServiceRoleForKeyManagementServiceMultiRegionKeys
You can't attach `AWSServiceRoleForKeyManagementServiceMultiRegionKeys` to your IAM entities. This policy is attached to a service-linked role that gives AWS KMS permission to synchronize any changes to the key material of a multi-Region primary key to its replica keys. For more information, see [Authorizing AWS KMS to synchronize multi-Region keys](multi-region-auth-slr.md).
## AWS KMS updates to AWS managed policies
View details about updates to AWS managed policies for AWS KMS since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the AWS KMS [Document history](dochistory.md) page.
| Change | Description | Date |
| --- | --- | --- |
| [AWSKeyManagementServiceMultiRegionKeysServiceRolePolicy](multi-region-auth-slr.md) – Update to existing policy | AWS KMS added a statement ID (`Sid`) field to the managed policy in policy version v2. | November 21, 2024 |
| [AWSKeyManagementServiceCustomKeyStoresServiceRolePolicy](authorize-kms.md) – Update to existing policy | AWS KMS added the `ec2:DescribeVpcs`, `ec2:DescribeNetworkAcls`, and `ec2:DescribeNetworkInterfaces` permissions to monitor changes in the VPC that contains your AWS CloudHSM cluster so that AWS KMS can provide clear error messages in the case of failures. | November 10, 2023 |
| AWS KMS started tracking changes | AWS KMS started tracking changes for its AWS managed policies. | November 10, 2023 |
# Using service-linked roles for AWS KMS
AWS Key Management Service uses AWS Identity and Access Management (IAM)[ service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role). A service-linked role is a unique type of IAM role that is linked directly to AWS KMS. Service-linked roles are defined by AWS KMS and include all the permissions that the service requires to call other AWS services on your behalf.
A service-linked role makes setting up AWS KMS easier because you don’t have to manually add the necessary permissions. AWS KMS defines the permissions of its service-linked roles, and unless defined otherwise, only AWS KMS can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity.
You can delete a service-linked role only after first deleting the related resources. This protects your AWS KMS resources because you can't inadvertently remove permission to access the resources.
For information about other services that support service-linked roles, see [AWS Services That Work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) and look for the services that have **Yes **in the **Service-Linked Role** column. Choose a **Yes** with a link to view the service-linked role documentation for that service.
To view details about updates to the service-linked roles discussed in this topic, see [AWS KMS updates to AWS managed policies](security-iam-awsmanpol.md#security-iam-awsmanpol-updates).
**Topics**
+ [Authorizing AWS KMS to manage AWS CloudHSM and Amazon EC2 resources](authorize-kms.md)
+ [Authorizing AWS KMS to synchronize multi-Region keys](multi-region-auth-slr.md)
# Authorizing AWS KMS to manage AWS CloudHSM and Amazon EC2 resources
To support your AWS CloudHSM key stores, AWS KMS needs permission to get information about your AWS CloudHSM clusters. It also needs permission to create the network infrastructure that connects your AWS CloudHSM key store to its AWS CloudHSM cluster. To get these permissions, AWS KMS creates the **AWSServiceRoleForKeyManagementServiceCustomKeyStores** service-linked role in your AWS account. Users who create AWS CloudHSM key stores must have the `iam:CreateServiceLinkedRole` permission that allows them to create service-linked roles.
To view details about updates to the **AWSKeyManagementServiceCustomKeyStoresServiceRolePolicy** managed policy, see [AWS KMS updates to AWS managed policies](security-iam-awsmanpol.md#security-iam-awsmanpol-updates).
**Topics**
+ [About the AWS KMS service-linked role](#about-key-store-slr)
+ [Create the service-linked role](#create-key-store-slr)
+ [Edit the service-linked role description](#edit-key-store-slr)
+ [Delete the service-linked role](#delete-key-store-slr)
## About the AWS KMS service-linked role
A [service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html) is an IAM role that gives one AWS service permission to call other AWS services on your behalf. It's designed to make it easier for you to use the features of multiple integrated AWS services without having to create and maintain complex IAM policies. For more information, see [Using service-linked roles for AWS KMS](using-service-linked-roles.md).
For AWS CloudHSM key stores, AWS KMS creates the **AWSServiceRoleForKeyManagementServiceCustomKeyStores** service-linked role with the **AWSKeyManagementServiceCustomKeyStoresServiceRolePolicy** managed policy. This policy grants the role the following permissions:
+ [cloudhsm:Describe\$1](https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html) – detects changes in the AWS CloudHSM cluster that is attached to your custom key store.
+ [ec2:CreateSecurityGroup](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateSecurityGroup.html) – used when you [connect an AWS CloudHSM key store](connect-keystore.md) to create the security group that enables network traffic flow between AWS KMS and your AWS CloudHSM cluster.
+ [ec2:AuthorizeSecurityGroupIngress](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html) – used when you [connect an AWS CloudHSM key store](connect-keystore.md) to allow network access from AWS KMS into the VPC that contains your AWS CloudHSM cluster.
+ [ec2:CreateNetworkInterface](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkInterface.html) – used when you [connect an AWS CloudHSM key store](connect-keystore.md) to create the network interface used for communication between AWS KMS and the AWS CloudHSM cluster.
+ [ec2:RevokeSecurityGroupEgress](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RevokeSecurityGroupEgress.html) – used when you [connect an AWS CloudHSM key store](connect-keystore.md) to remove all outbound rules from the security group that AWS KMS created.
+ [ec2:DeleteSecurityGroup](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteSecurityGroup.html) – used when you [disconnect an AWS CloudHSM key store](disconnect-keystore.md) to delete security groups that were created when you connected the AWS CloudHSM key store.
+ [ec2:DescribeSecurityGroups](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html) – used to monitor changes in the security group that AWS KMS created in the VPC that contains your AWS CloudHSM cluster so that AWS KMS can provide clear error messages in case of failures.
+ [ec2:DescribeVpcs](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeVpcs.html) – used to monitor changes in the VPC that contains your AWS CloudHSM cluster so that AWS KMS can provide clear error messages in case of failures.
+ [ec2:DescribeNetworkAcls](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeNetworkAcls.html) – used to monitor changes in the network ACLs for the VPC that contains your AWS CloudHSM cluster so that AWS KMS can provide clear error messages in case of failures.
+ [ec2:DescribeNetworkInterfaces](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeNetworkInterfaces.html) – used to monitor changes in the network interfaces that AWS KMS created in the VPC that contains your AWS CloudHSM cluster so that AWS KMS can provide clear error messages in case of failures.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudhsm:Describe*",
"ec2:CreateNetworkInterface",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateSecurityGroup",
"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupEgress",
"ec2:DeleteSecurityGroup",
"ec2:DescribeVpcs",
"ec2:DescribeNetworkAcls",
"ec2:DescribeNetworkInterfaces"
],
"Resource": "*"
}
]
}
```
------
Because the **AWSServiceRoleForKeyManagementServiceCustomKeyStores** service-linked role trusts only `cks.kms.amazonaws.com`, only AWS KMS can assume this service-linked role. This role is limited to the operations that AWS KMS needs to view your AWS CloudHSM clusters and to connect an AWS CloudHSM key store to its associated AWS CloudHSM cluster. It does not give AWS KMS any additional permissions. For example, AWS KMS does not have permission to create, manage, or delete your AWS CloudHSM clusters, HSMs, or backups.
**Regions**
Like the AWS CloudHSM key stores feature, the **AWSServiceRoleForKeyManagementServiceCustomKeyStores** role is supported in all AWS Regions where AWS KMS and AWS CloudHSM are available. For a list of AWS Regions that each service supports, see [AWS Key Management Service Endpoints and Quotas](https://docs.aws.amazon.com/general/latest/gr/kms.html) and [AWS CloudHSM endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/cloudhsm.html) in the *Amazon Web Services General Reference*.
For more information about how AWS services use service-linked roles, see [Using service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html) in the IAM User Guide.
## Create the service-linked role
AWS KMS automatically creates the **AWSServiceRoleForKeyManagementServiceCustomKeyStores** service-linked role in your AWS account when you create an AWS CloudHSM key store, if the role does not already exist. You cannot create or re-create this service-linked role directly.
## Edit the service-linked role description
You cannot edit the role name or the policy statements in the **AWSServiceRoleForKeyManagementServiceCustomKeyStores** service-linked role, but you can edit role description. For instructions, see [Editing a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*.
## Delete the service-linked role
AWS KMS does not delete the **AWSServiceRoleForKeyManagementServiceCustomKeyStores** service-linked role from your AWS account even if you have [deleted all of your AWS CloudHSM key stores](delete-keystore.md). Although there is currently no procedure for deleting the **AWSServiceRoleForKeyManagementServiceCustomKeyStores** service-linked role, AWS KMS does not assume this role or use its permissions unless you have active AWS CloudHSM key stores.
# Authorizing AWS KMS to synchronize multi-Region keys
To support [multi-Region keys](multi-region-keys-auth.md), AWS KMS needs permission to synchronize the [shared properties](multi-region-keys-overview.md#mrk-sync-properties) of a multi-Region primary key with its replica keys. To get these permissions, AWS KMS creates the **AWSServiceRoleForKeyManagementServiceMultiRegionKeys** service-linked role in your AWS account. Users who create multi-Region keys must have the `iam:CreateServiceLinkedRole` permission that allows them to create service-linked roles.
You can view the [SynchronizeMultiRegionKey](ct-synchronize-multi-region-key.md) CloudTrail event that records AWS KMS synchronizing shared properties in your AWS CloudTrail logs.
To view details about updates to the **AWSKeyManagementServiceMultiRegionKeysServiceRolePolicy** managed policy, see [AWS KMS updates to AWS managed policies](security-iam-awsmanpol.md#security-iam-awsmanpol-updates).
**Topics**
+ [About the service-linked role for multi-Region keys](#about-multi-region-slr)
+ [Create the service-linked role](#create-mrk-slr)
+ [Edit the service-linked role description](#edit-mrk-slr)
+ [Delete the service-linked role](#delete-mrk-slr)
## About the service-linked role for multi-Region keys
A [service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html) is an IAM role that gives one AWS service permission to call other AWS services on your behalf. It's designed to make it easier for you to use the features of multiple integrated AWS services without having to create and maintain complex IAM policies.
For multi-Region keys, AWS KMS creates the **AWSServiceRoleForKeyManagementServiceMultiRegionKeys** service-linked role with the **AWSKeyManagementServiceMultiRegionKeysServiceRolePolicy** managed policy. This policy gives the role the `kms:SynchronizeMultiRegionKey` permission, which allows it to synchronize the shared properties of multi-Region keys.
Because the **AWSServiceRoleForKeyManagementServiceMultiRegionKeys** service-linked role trusts only `mrk.kms.amazonaws.com`, only AWS KMS can assume this service-linked role. This role is limited to the operations that AWS KMS needs to synchronize multi-Region shared properties. It does not give AWS KMS any additional permissions. For example, AWS KMS does not have permission to create, replicate, or delete any KMS keys.
For more information about how AWS services use service-linked roles, see [Using Service-Linked Roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html) in the IAM User Guide.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement" : [
{
"Sid" : "KMSSynchronizeMultiRegionKey",
"Effect" : "Allow",
"Action" : [
"kms:SynchronizeMultiRegionKey"
],
"Resource" : "*"
}
]
}
```
------
## Create the service-linked role
AWS KMS automatically creates the **AWSServiceRoleForKeyManagementServiceMultiRegionKeys** service-linked role in your AWS account when you create a multi-Region key, if the role does not already exist. You cannot create or re-create this service-linked role directly.
## Edit the service-linked role description
You cannot edit the role name or the policy statements in the **AWSServiceRoleForKeyManagementServiceMultiRegionKeys** service-linked role, but you can edit the role description. For instructions, see [Editing a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*.
## Delete the service-linked role
AWS KMS does not delete the **AWSServiceRoleForKeyManagementServiceMultiRegionKeys** service-linked role from your AWS account and you cannot delete it. However, AWS KMS does not assume the **AWSServiceRoleForKeyManagementServiceMultiRegionKeys** role or use any of its permissions unless you have multi-Region keys in your AWS account and Region.