☁️
AWS Solutions Architect Associate SAA-C03 Study Notes/
🔶
AWS KMS (Key Management Service)/
🔷
AWS KMS - Key Policies
🔷

AWS KMS - Key Policies

Purpose

  • Define who can use or manage a KMS key, similar to S3 bucket policies.
  • Without a key policy, no one can access the key, regardless of IAM permissions.

Default Policy

  • Created automatically if no custom policy is specified.
  • Grants full access to the AWS account root user.

Custom Policies

  • Specify principals (users, roles) allowed to use or administer the key.
  • Separate permissions for administrators (e.g., rotation, deletion) and usage (encrypt/decrypt).
  • Required for cross-account key sharing.

Key Takeaway

  • Key policies are mandatory for KMS access control.
  • IAM policies alone cannot grant access without a matching key policy entry.