If you use IAM policies to allow AWS KMS permissions, IAM identities that have AWS administrator access ("Action": "*") or AWS KMS full access ("Action": "kms:*") are already allowed to schedule and cancel key the deletion of KMS keys. To allow key administrators to schedule and cancel key deletion in the key policy, use the AWS KMS console or the AWS KMS API.
Typically, only key administrators have permission to schedule or cancel key deletion. However, you can give these permissions to other IAM identities by adding the kms:ScheduleKeyDeletion and kms:CancelKeyDeletion permission to the key policy or an IAM policy. You can also use the kms:ScheduleKeyDeletionPendingWindowInDays condition key to further constrain the values that principals can specify in the PendingWindowInDays parameter of a ScheduleKeyDeletion request.
To give key administrators permission to schedule and cancel key deletion.
Sign in to the AWS Management Console and open the AWS Key Management Service (AWS KMS) console at https://console.aws.amazon.com/kms.
To change the AWS Region, use the Region selector in the upper-right corner of the page.
In the navigation pane, choose Customer managed keys.
Choose the alias or key ID of the KMS key whose permissions you want to change.
Choose the key policy tab.
The next step differs for the default view and policy view of your key policy. Default view is available only if you are using the default console key policy. Otherwise, only policy view is available.
When default view is available, a Switch to policy view or Switch to default view button appears on the Key policy tab.
In default view:
Under Key deletion, choose Allow key administrators to delete this key.
In policy view:
Choose Edit.
In the policy statement for key administrators, add the kms:ScheduleKeyDeletion and kms:CancelKeyDeletion permissions to the Action element.
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::111122223333:user/KMSKeyAdmin"},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
}Choose Save changes.
You can use the AWS Command Line Interface to add permissions for scheduling and canceling key deletion.
To add permission to schedule and cancel key deletionUse the aws kms get-key-policy command to retrieve the existing key policy, and then save the policy document to a file.
Open the policy document in your preferred text editor. In the policy statement for key administrators, add the kms:ScheduleKeyDeletion and kms:CancelKeyDeletion permissions. The following example shows a policy statement with these two permissions:
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::111122223333:user/KMSKeyAdmin"},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
}Use the aws kms put-key-policy command to apply the key policy to the KMS key.
Delete keys
Schedule key deletion
Did this page help you? - Yes
Thanks for letting us know we're doing a good job!
If you've got a moment, please tell us what we did right so we can do more of it.
Did this page help you? - No
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4