Product logo
DocsBlogPricing

Permissions for @turbot/aws-kms

Taking a look at permissions and associated grant levels for each permission for KMS:

PermissionGrant LevelHelp
kms:CancelKeyDeletionAdmin
kms:ConnectCustomKeyStoreAdmin
kms:CreateAliasAdmin
kms:CreateCustomKeyStoreAdmin
kms:CreateGrantAdminLimited to AWS resource grants only through an explicit deny on the Lockdown group to prevent cross-account grants.
kms:CreateKeyAdminCan be used to add policies to keys. Guardrails detects and resets any non-default policies added during key creation.
kms:DecryptOperator
kms:DeleteAliasAdmin
kms:DeleteCustomKeyStoreAdmin
kms:DeleteImportedKeyMaterialAdmin
kms:DescribeCustomKeyStoresMetadata
kms:DescribeKeyMetadataProvides Metadata about the key only.
kms:DisableKeyAdmin
kms:DisableKeyRotationAdmin
kms:DisconnectCustomKeyStoreAdmin
kms:EnableKeyAdmin
kms:EnableKeyRotationAdmin
kms:EncryptOperator
kms:GenerateDataKeyOperator
kms:GenerateDataKeyPairOperator
kms:GenerateDataKeyPairWithoutPlaintextOperator
kms:GenerateDataKeyWithoutPlaintextOperator
kms:GenerateRandomOperator
kms:GetKeyPolicyMetadata
kms:GetKeyRotationStatusMetadata
kms:GetParametersForImportMetadataOnly a public key is returned; the import token is not returned.
kms:GetPublicKeyMetadata
kms:ImportKeyMaterialAdmin
kms:ListAliasesMetadata
kms:ListGrantsMetadata
kms:ListKeyPoliciesMetadata
kms:ListKeysMetadataProvides Metadata about the keys only.
kms:ListResourceTagsMetadata
kms:ListRetirableGrantsMetadata
kms:PutKeyPolicyAdminKey policies are reset by a guardrail after creation.
kms:ReEncryptOperator
kms:ReEncryptFromOperator
kms:ReEncryptToOperator
kms:ReplicateKeyOperator
kms:RetireGrantAdmin
kms:RevokeGrantAdmin
kms:ScheduleKeyDeletionAdmin
kms:SignOperator
kms:SynchronizeMultiRegionKeyOperator
kms:TagResourceOperator
kms:UntagResourceOperator
kms:UpdateAliasAdmin
kms:UpdateCustomKeyStoreAdmin
kms:UpdateKeyDescriptionAdmin
kms:UpdatePrimaryRegionAdmin
kms:VerifyOperator