Permissions for @turbot/aws-kms
Taking a look at permissions and associated grant levels for each permission for KMS:
Permission | Grant Level | Help |
---|---|---|
kms:CancelKeyDeletion | Admin | |
kms:ConnectCustomKeyStore | Admin | |
kms:CreateAlias | Admin | |
kms:CreateCustomKeyStore | Admin | |
kms:CreateGrant | Admin | Limited to AWS resource grants only through an explicit deny on the Lockdown group to prevent cross-account grants. |
kms:CreateKey | Admin | Can be used to add policies to keys. Guardrails detects and resets any non-default policies added during key creation. |
kms:Decrypt | Operator | |
kms:DeleteAlias | Admin | |
kms:DeleteCustomKeyStore | Admin | |
kms:DeleteImportedKeyMaterial | Admin | |
kms:DescribeCustomKeyStores | Metadata | |
kms:DescribeKey | Metadata | Provides Metadata about the key only. |
kms:DisableKey | Admin | |
kms:DisableKeyRotation | Admin | |
kms:DisconnectCustomKeyStore | Admin | |
kms:EnableKey | Admin | |
kms:EnableKeyRotation | Admin | |
kms:Encrypt | Operator | |
kms:GenerateDataKey | Operator | |
kms:GenerateDataKeyPair | Operator | |
kms:GenerateDataKeyPairWithoutPlaintext | Operator | |
kms:GenerateDataKeyWithoutPlaintext | Operator | |
kms:GenerateRandom | Operator | |
kms:GetKeyPolicy | Metadata | |
kms:GetKeyRotationStatus | Metadata | |
kms:GetParametersForImport | Metadata | Only a public key is returned; the import token is not returned. |
kms:GetPublicKey | Metadata | |
kms:ImportKeyMaterial | Admin | |
kms:ListAliases | Metadata | |
kms:ListGrants | Metadata | |
kms:ListKeyPolicies | Metadata | |
kms:ListKeys | Metadata | Provides Metadata about the keys only. |
kms:ListResourceTags | Metadata | |
kms:ListRetirableGrants | Metadata | |
kms:PutKeyPolicy | Admin | Key policies are reset by a guardrail after creation. |
kms:ReEncrypt | Operator | |
kms:ReEncryptFrom | Operator | |
kms:ReEncryptTo | Operator | |
kms:ReplicateKey | Operator | |
kms:RetireGrant | Admin | |
kms:RevokeGrant | Admin | |
kms:ScheduleKeyDeletion | Admin | |
kms:Sign | Operator | |
kms:SynchronizeMultiRegionKey | Operator | |
kms:TagResource | Operator | |
kms:UntagResource | Operator | |
kms:UpdateAlias | Admin | |
kms:UpdateCustomKeyStore | Admin | |
kms:UpdateKeyDescription | Admin | |
kms:UpdatePrimaryRegion | Admin | |
kms:Verify | Operator |