Action Description Resources Conditions
Cancels the deletion of a customer master key (CMK).
  • arn:aws:kms:$region:$account:key/$key-id
Creates a display name for a customer master key.
  • arn:aws:kms:$region:$account:alias/$alias-name
Creates a display name for a customer master key.
  • arn:aws:kms:$region:$account:key/$key-id
Adds a grant to a key to specify who can use the key and under what conditions.
  • arn:aws:kms:$region:$account:key/$key-id
  • kms:GrantConstraintType
  • kms:GrantIsForAWSResource
  • kms:GrantOperations
  • kms:CallerAccount
  • kms:ViaService
  • Global Conditions
Creates a customer master key (CMK).
  • *
Decrypts ciphertext.
  • arn:aws:kms:$region:$account:key/$key-id
  • kms:EncryptionContext:
  • kms:EncryptionContextKeys
  • kms:CallerAccount
  • kms:ViaService
  • Global Conditions
Deletes the specified alias.
  • arn:aws:kms:$region:$account:alias/$alias-name
Deletes the specified alias.
  • arn:aws:kms:$region:$account:key/$key-id
Provides detailed information about the specified customer master key.
  • arn:aws:kms:$region:$account:key/$key-id
Sets the state of a customer master key (CMK) to disabled, thereby preventing its use for cryptographic operations.
  • arn:aws:kms:$region:$account:key/$key-id
Disables rotation of the specified key.
  • arn:aws:kms:$region:$account:key/$key-id
Marks a key as enabled, thereby permitting its use.
  • arn:aws:kms:$region:$account:key/$key-id
Enables rotation of the specified customer master key.
  • arn:aws:kms:$region:$account:key/$key-id
Encrypts plaintext into ciphertext by using a customer master key.
  • arn:aws:kms:$region:$account:key/$key-id
  • kms:EncryptionContext:
  • kms:EncryptionContextKeys
  • kms:CallerAccount
  • kms:ViaService
  • Global Conditions
Generates an unpredictable byte string.
  • *
Generates a data key that you can use in your application to locally encrypt data.
  • arn:aws:kms:$region:$account:key/$key-id
  • kms:EncryptionContext:
  • kms:EncryptionContextKeys
  • kms:CallerAccount
  • kms:ViaService
  • Global Conditions
Returns a data key encrypted by a customer master key without the plaintext copy of that key.
  • arn:aws:kms:$region:$account:key/$key-id
  • kms:EncryptionContext:
  • kms:EncryptionContextKeys
  • kms:CallerAccount
  • kms:ViaService
  • Global Conditions
Retrieves a policy attached to the specified key.
  • arn:aws:kms:$region:$account:key/$key-id
Retrieves a Boolean value that indicates whether key rotation is enabled for the specified key.
  • arn:aws:kms:$region:$account:key/$key-id
Lists all of the key aliases in the account.
  • *
List the grants for a specified key.
  • arn:aws:kms:$region:$account:key/$key-id
Retrieves a list of policies attached to a key.
  • arn:aws:kms:$region:$account:key/$key-id
Lists the customer master keys.
  • *
Returns a list of all tags for the specified customer master key (CMK).
  • arn:aws:kms:$region:$account:key/$key-id
Returns a list of all grants for which the grant's RetiringPrincipal matches the one specified.
  • *
Attaches a key policy to the specified customer master key (CMK).
  • arn:aws:kms:$region:$account:key/$key-id
Encrypts data on the server side with a new customer master key without exposing the plaintext of the data on the client side.
  • arn:aws:kms:$region:$account:key/$key-id
  • kms:EncryptionContext:
  • kms:EncryptionContextKeys
  • kms:ReEncryptOnSameKey
  • kms:CallerAccount
  • kms:ViaService
  • Global Conditions
Encrypts data on the server side with a new customer master key without exposing the plaintext of the data on the client side.
  • arn:aws:kms:$region:$account:key/$key-id
  • kms:EncryptionContext:
  • kms:EncryptionContextKeys
  • kms:ReEncryptOnSameKey
  • kms:CallerAccount
  • kms:ViaService
  • Global Conditions
Retires a grant.
  • -
Revokes a grant.
  • arn:aws:kms:$region:$account:key/$key-id
Schedules the deletion of a customer master key (CMK).
  • arn:aws:kms:$region:$account:key/$key-id
Adds or overwrites one or more tags for the specified customer master key (CMK).
  • arn:aws:kms:$region:$account:key/$key-id
Removes the specified tag or tags from the specified customer master key (CMK).
  • arn:aws:kms:$region:$account:key/$key-id
Updates an alias to map it to a different key.
  • arn:aws:kms:$region:$account:alias/$alias-name
Updates an alias to map it to a different key.
  • arn:aws:kms:$region:$account:key/$key-id
Updates the description of a key.
  • arn:aws:kms:$region:$account:key/$key-id