This section describes IAM's fine-grained permissions management for your KMS resources. With IAM, you can:
- Create IAM users for employees based on the organizational structure of your enterprise. Each IAM user has its own security credentials to access KMS resources.
- Grant users only the permissions required to perform a task.
- Entrust an account or cloud service to perform efficient O&M on your KMS resources.
If your account does not need individual IAM users, skip this chapter.
This section describes the procedure for granting permissions (see Figure 1).
Prerequisites
Before granting permissions to a user group, you need to understand the available KMS permissions, and grant permissions based on the real-life scenario. The following tables describe the permissions supported in KMS.
Role/Policy |
Description |
Type |
|---|---|---|
KMS Administrator |
Administrator permissions for the encryption key |
Role |
KMS CMKFullAccess |
All permissions for the encryption keys |
Policy |
KMS CMK Admin |
All permissions for the encryption keys |
Policy |
KMS CMKReadOnlyAccess |
Read-only permission for encryption keys |
Policy |
Authorization Process
Create a user group on the IAM console and grant the user group the permission (indicating full permissions for keys).
Create a user on the IAM console and add the user to the user group created in 1.
Log in to the console as newly created user, and verify that the user only has the assigned permissions.