Copyright (c) 2025 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

4.2.2. KMS Key Policies and Grants

First Principle: KMS key policies and grants provide granular control over who can manage and use Customer Managed Keys (CMKs), ensuring secure and precise access to encryption operations.

For security specialists, managing access to Customer Managed Keys (CMKs) in AWS Key Management Service (KMS) is crucial. This is done through key policies and grants.

Key Concepts of KMS Key Policies and Grants:
  • Key Policy:
    • What it is: The primary access control mechanism for a CMK. It is a resource-based IAM policy attached directly to the CMK.
    • Purpose: Defines who (principals) can use or manage the CMK and what cryptographic operations they can perform (e.g., kms:Encrypt, kms:Decrypt, kms:GenerateDataKey).
    • Default: When you create a CMK, a default key policy is created that grants the account root user full access to the key. You then add other IAM users or roles to the key policy.
    • Relationship with IAM Policies: An IAM policy that grants permissions to a CMK (e.g., allowing a Lambda function to use it for encryption) must also be allowed by the key policy. Both must grant the permission.
  • Grants:
    • What they are: A finer-grained alternative or supplement to key policies for temporary or specific permissions.
    • Purpose: Allow granting temporary, granular permissions for cryptographic operations to IAM principals without modifying the key policy.
    • Benefits: Easier to revoke, ideal for temporary access or delegating specific permissions.

Scenario: You have a sensitive dataset encrypted with an AWS KMS Customer Managed Key (CMK). You need to grant an IAM role used by an EC2 instance permission to decrypt data using this CMK. You also need to grant a third-party application temporary permission to encrypt data with the same CMK.

Reflection Question: How do KMS key policies (as the primary access control for CMKs) and grants (for temporary/specific permissions) fundamentally provide granular control over who can manage and use CMKs, ensuring secure and precise access to encryption operations?