A RetroSearch Logo

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Search Query:

Showing content from https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html below:

AWS KMS permissions - AWS Key Management Service

CancelKeyDeletion

kms:CancelKeyDeletion

Key policy

No

KMS key

Conditions for KMS key operations:

kms:CallerAccount

kms:KeySpec

kms:KeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

ConnectCustomKeyStore

kms:ConnectCustomKeyStore

IAM policy No

*

kms:CallerAccount

CreateAlias

kms:CreateAlias

To use this operation, the caller needs kms:CreateAlias permission on two resources:

For details, see Controlling access to aliases.

IAM policy (for the alias)

No

Alias

None (when controlling access to the alias)

Key policy (for the KMS key)

No

KMS key

Conditions for KMS key operations:

kms:CallerAccount

kms:KeySpec

kms:KeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

CreateCustomKeyStore

kms:CreateCustomKeyStore

IAM policy No

*

kms:CallerAccount

CreateGrant

kms:CreateGrant

Key policy

Yes

KMS key

Encryption context conditions:

kms:EncryptionContext:context-key

kms:EncryptionContextKeys

Grant conditions:

kms:GrantConstraintType

kms:GranteePrincipal

kms:GrantIsForAWSResource

kms:GrantOperations

kms:RetiringPrincipal

Conditions for KMS key operations:

kms:CallerAccount

kms:KeySpec

kms:KeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

CreateKey

kms:CreateKey

IAM policy

No

*

kms:BypassPolicyLockoutSafetyCheck

kms:CallerAccount

kms:KeySpec

kms:KeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ViaService

aws:RequestTag/tag-key (AWS global condition key)

aws:ResourceTag/tag-key (AWS global condition key)

aws:TagKeys (AWS global condition key)

Decrypt

kms:Decrypt

Key policy

Yes

KMS key

Conditions for cryptographic operations

kms:EncryptionAlgorithm

kms:RequestAlias

Encryption context conditions:

kms:EncryptionContext:context-key

kms:EncryptionContextKeys

Conditions for KMS key operations:

kms:CallerAccount

kms:KeySpec

kms:KeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

DeleteAlias

kms:DeleteAlias

To use this operation, the caller needs kms:DeleteAlias permission on two resources:

For details, see Controlling access to aliases.

IAM policy (for the alias)

No

Alias

None (when controlling access to the alias)

Key policy (for the KMS key)

No

KMS key

Conditions for KMS key operations:

kms:CallerAccount

kms:KeySpec

kms:KeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

DeleteCustomKeyStore

kms:DeleteCustomKeyStore

IAM policy No

*

kms:CallerAccount

DeleteImportedKeyMaterial

kms:DeleteImportedKeyMaterial

Key policy

No

KMS key

Conditions for KMS key operations:

kms:CallerAccount

kms:KeySpec

kms:KeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

DeriveSharedSecret

kms:DeriveSharedSecret

Key policy Yes KMS key

Conditions for KMS key operations:

kms:CallerAccount

kms:KeySpec

kms:KeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

Conditions for cryptographic operations:

kms:KeyAgreementAlgorithm

DescribeCustomKeyStores

kms:DescribeCustomKeyStores

IAM policy No

*

kms:CallerAccount

DescribeKey

kms:DescribeKey

Key policy

Yes

KMS key

Conditions for KMS key operations:

kms:CallerAccount

kms:KeySpec

kms:KeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

Other conditions:

kms:RequestAlias

DisableKey

kms:DisableKey

Key policy

No

KMS key

Conditions for KMS key operations:

kms:CallerAccount

kms:KeySpec

kms:KeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

DisableKeyRotation

kms:DisableKeyRotation

Key policy

No

KMS key

Conditions for KMS key operations:

kms:CallerAccount

kms:KeySpec

kms:KeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

DisconnectCustomKeyStore

kms:DisconnectCustomKeyStore

IAM policy No

*

kms:CallerAccount

EnableKey

kms:EnableKey

Key policy

No

KMS key

Conditions for KMS key operations:

kms:CallerAccount

kms:KeySpec

kms:KeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

EnableKeyRotation

kms:EnableKeyRotation

Key policy

No

KMS key

Conditions for KMS key operations:

kms:CallerAccount

kms:KeySpec

kms:KeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

Automatic key rotation conditions:

kms:RotationPeriodInDays

Encrypt

kms:Encrypt

Key policy

Yes

KMS key

Conditions for cryptographic operations

kms:EncryptionAlgorithm

kms:RequestAlias

Encryption context conditions:

kms:EncryptionContext:context-key

kms:EncryptionContextKeys

Conditions for KMS key operations:

kms:CallerAccount

kms:KeySpec

kms:KeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

GenerateDataKey

kms:GenerateDataKey

Key policy

Yes

KMS key

Conditions for cryptographic operations

kms:EncryptionAlgorithm

kms:RequestAlias

Encryption context conditions:

kms:EncryptionContext:context-key

kms:EncryptionContextKeys

Conditions for KMS key operations:

kms:CallerAccount

kms:KeySpec

kms:KeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

GenerateDataKeyPair

kms:GenerateDataKeyPair

Key policy

Yes

KMS key

Generates an asymmetric data key pair that is protected by a symmetric encryption KMS key.

Conditions for data key pairs:

kms:DataKeyPairSpec

Conditions for cryptographic operations

kms:EncryptionAlgorithm

kms:RequestAlias

Encryption context conditions:

kms:EncryptionContext:context-key

kms:EncryptionContextKeys

Conditions for KMS key operations:

kms:CallerAccount

kms:KeySpec

kms:KeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

GenerateDataKeyPairWithoutPlaintext

kms:GenerateDataKeyPairWithoutPlaintext

Key policy

Yes

KMS key

Generates an asymmetric data key pair that is protected by a symmetric encryption KMS key.

Conditions for data key pairs:

kms:DataKeyPairSpec

Conditions for cryptographic operations

kms:EncryptionAlgorithm

kms:RequestAlias

Encryption context conditions:

kms:EncryptionContext:context-key

kms:EncryptionContextKeys

Conditions for KMS key operations:

kms:CallerAccount

kms:KeySpec

kms:KeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

GenerateDataKeyWithoutPlaintext

kms:GenerateDataKeyWithoutPlaintext

Key policy

Yes

KMS key

Conditions for cryptographic operations

kms:EncryptionAlgorithm

kms:RequestAlias

Encryption context conditions:

kms:EncryptionContext:context-key

kms:EncryptionContextKeys

Conditions for KMS key operations:

kms:CallerAccount

kms:KeySpec

kms:KeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

GenerateMac

kms:GenerateMac

Key policy Yes KMS key

Conditions for KMS key operations:

kms:CallerAccount

kms:KeySpec

kms:KeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

Conditions for cryptographic operations:

kms:MacAlgorithm

kms:RequestAlias

GenerateRandom

kms:GenerateRandom

IAM policy

N/A

*

None

GetKeyPolicy

kms:GetKeyPolicy

Key policy

No

KMS key

Conditions for KMS key operations:

kms:CallerAccount

kms:KeySpec

kms:KeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

GetKeyRotationStatus

kms:GetKeyRotationStatus

Key policy

Yes

KMS key

Conditions for KMS key operations:

kms:CallerAccount

kms:KeySpec

kms:KeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

GetParametersForImport

kms:GetParametersForImport

Key policy

No

KMS key

kms:WrappingAlgorithm

kms:WrappingKeySpec

Conditions for KMS key operations:

kms:CallerAccount

kms:KeySpec

kms:KeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

GetPublicKey

kms:GetPublicKey

Key policy

Yes

KMS key

Conditions for KMS key operations:

kms:CallerAccount

kms:KeySpec

kms:KeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

Other conditions:

kms:RequestAlias

ImportKeyMaterial

kms:ImportKeyMaterial

Key policy

No

KMS key

Conditions for KMS key operations:

kms:CallerAccount

kms:KeySpec

kms:KeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

Other conditions:

kms:ExpirationModel

kms:ValidTo

ListAliases

kms:ListAliases

IAM policy

No

*

None

ListGrants

kms:ListGrants

Key policy

Yes

KMS key

Conditions for KMS key operations:

kms:CallerAccount

kms:KeySpec

kms:KeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

Other conditions:

kms:GrantIsForAWSResource

ListKeyPolicies

kms:ListKeyPolicies

Key policy

No

KMS key

Conditions for KMS key operations:

kms:CallerAccount

kms:KeySpec

kms:KeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

ListKeyRotations

kms:ListKeyRotations

Key policy

No

KMS key

Conditions for KMS key operations:

kms:CallerAccount

kms:KeySpec

kms:KeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

ListKeys

kms:ListKeys

IAM policy

No

*

None

ListResourceTags

kms:ListResourceTags

Key policy

No

KMS key

Conditions for KMS key operations:

kms:CallerAccount

kms:KeySpec

kms:KeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

ListRetirableGrants

kms:ListRetirableGrants

IAM policy

The specified principal must be in the local account, but the operation returns grants in all accounts.

*

None

PutKeyPolicy

kms:PutKeyPolicy

Key policy

No

KMS key

Conditions for KMS key operations:

kms:CallerAccount

kms:KeySpec

kms:KeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

Other conditions:

kms:BypassPolicyLockoutSafetyCheck

ReEncrypt

kms:ReEncryptFrom

kms:ReEncryptTo

To use this operation, the caller needs permission on two KMS keys:

Key policy

Yes

KMS key

Conditions for cryptographic operations

kms:EncryptionAlgorithm

kms:RequestAlias

Encryption context conditions:

kms:EncryptionContext:context-key

kms:EncryptionContextKeys

Conditions for KMS key operations:

kms:CallerAccount

kms:KeySpec

kms:KeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

Other conditions:

kms:ReEncryptOnSameKey

ReplicateKey

kms:ReplicateKey

To use this operation, the caller needs the following permissions:

Key policy

No

KMS key

Conditions for KMS key operations:

kms:CallerAccount

kms:KeySpec

kms:KeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

Other conditions:

kms:ReplicaRegion

RetireGrant

kms:RetireGrant

Permission to retire a grant is determined primarily by the grant. A policy alone cannot allow access to this operation. For more information, see Retiring and revoking grants.

IAM policy

(This permission is not effective in a key policy.)

Yes

KMS key

Encryption context conditions:

kms:EncryptionContext:context-key

kms:EncryptionContextKeys

Grant conditions:

kms:GrantConstraintType

Conditions for KMS key operations:

kms:CallerAccount

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

RevokeGrant

kms:RevokeGrant

Key policy

Yes

KMS key

Conditions for KMS key operations:

kms:CallerAccount

kms:KeySpec

kms:KeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

Other conditions:

kms:GrantIsForAWSResource

RotateKeyOnDemand

kms:RotateKeyOnDemand

Key policy

No

KMS key

Conditions for KMS key operations:

kms:CallerAccount

kms:KeySpec

kms:KeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

ScheduleKeyDeletion

kms:ScheduleKeyDeletion

Key policy

No

KMS key

Conditions for KMS key operations:

kms:CallerAccount

kms:KeySpec

kms:KeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

Sign

kms:Sign

Key policy

Yes

KMS key

Conditions for signing and verification:

kms:MessageType

kms:RequestAlias

kms:SigningAlgorithm

Conditions for KMS key operations:

kms:CallerAccount

kms:KeySpec

kms:KeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

TagResource

kms:TagResource

Key policy

No

KMS key

Conditions for KMS key operations:

kms:CallerAccount

kms:KeySpec

kms:KeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

Conditions for tagging:

aws:RequestTag/tag-key (AWS global condition key)

aws:TagKeys (AWS global condition key)

UntagResource

kms:UntagResource

Key policy

No

KMS key

Conditions for KMS key operations:

kms:CallerAccount

kms:KeySpec

kms:KeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

Conditions for tagging:

aws:RequestTag/tag-key (AWS global condition key)

aws:TagKeys (AWS global condition key)

UpdateAlias

kms:UpdateAlias

To use this operation, the caller needs kms:UpdateAlias permission on three resources:

For details, see Controlling access to aliases.

IAM policy (for the alias)

No

Alias

None (when controlling access to the alias)

Key policy (for the KMS keys)

No

KMS key

Conditions for KMS key operations:

kms:CallerAccount

kms:KeySpec

kms:KeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

UpdateCustomKeyStore

kms:UpdateCustomKeyStore

IAM policy No

*

kms:CallerAccount

UpdateKeyDescription

kms:UpdateKeyDescription

Key policy

No

KMS key

Conditions for KMS key operations:

kms:CallerAccount

kms:KeySpec

kms:KeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

UpdatePrimaryRegion

kms:UpdatePrimaryRegion

To use this operation, the caller needs kms:UpdatePrimaryRegion permission on both the multi-Region primary key that will become a replica key and the multi-Region replica key that will become the primary key.

Key policy

No

KMS key

Conditions for KMS key operations:

kms:CallerAccount

kms:KeySpec

kms:KeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

Other conditions

kms:PrimaryRegion

Verify

kms:Verify

Key policy

Yes

KMS key

Conditions for signing and verification:

kms:MessageType

kms:RequestAlias

kms:SigningAlgorithm

Conditions for KMS key operations:

kms:CallerAccount

kms:KeySpec

kms:KeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

VerifyMac

kms:VerifyMac

Key policy Yes KMS key

Conditions for KMS key operations:

kms:CallerAccount

kms:KeySpec

kms:KeyUsage

kms:KeyOrigin

kms:MultiRegion

kms:MultiRegionKeyType

kms:ResourceAliases

aws:ResourceTag/tag-key (AWS global condition key)

kms:ViaService

Conditions for cryptographic operations:

kms:MacAlgorithm

kms:RequestAlias

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4