IAM Policy for KMS Encrypt and Decrypt
Create an IAM policy for encrypting and decrypting data using a specific KMS key. Includes GenerateDataKey for envelope encryption workflows.
Detailed Explanation
KMS Encrypt/Decrypt Policy
AWS Key Management Service (KMS) keys are used to encrypt data at rest across many AWS services. This policy grants the permissions needed for applications to encrypt and decrypt data using a specific KMS key.
Policy JSON
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowKMSEncryptDecrypt",
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:DescribeKey"
],
"Resource": "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
}
]
}
Envelope Encryption
Most AWS services use envelope encryption: GenerateDataKey creates a data key encrypted by the KMS key. The plaintext data key encrypts your data locally, and the encrypted data key is stored alongside the ciphertext. On decryption, Decrypt recovers the data key, which then decrypts the data. This avoids sending large payloads to KMS.
Key ARN vs. Alias
You can specify the key by:
- Key ARN:
arn:aws:kms:us-east-1:123456789012:key/12345678-... - Key ID:
12345678-1234-1234-1234-123456789012 - Alias ARN:
arn:aws:kms:us-east-1:123456789012:alias/my-key-alias
In IAM policies, always use the key ARN (not alias) for reliable resource matching.
What DescribeKey Does
kms:DescribeKey returns metadata about the key (creation date, key state, key spec). Many SDKs and AWS services call DescribeKey before encrypt/decrypt operations, so it's important to include.
Use Case
Applications that encrypt sensitive data before storing in S3 or DynamoDB, Lambda functions processing encrypted payloads, or services using client-side encryption with AWS Encryption SDK.