This section describes IAM's fine-grained permissions management for your KMS resources. With IAM, you can:

Create IAM users for employees based on the organizational structure of your enterprise. Each IAM user has its own security credentials to access KMS resources.
Grant users only the permissions required to perform a task.
Entrust an account or cloud service to perform efficient O&M on your KMS resources.

If your account does not need individual IAM users, you may skip over this chapter.

This section describes the procedure for granting permissions (see Figure 1).

Prerequisites

Before authorizing permissions to a user group, you need to know which KMS permissions can be added to the user group. System-defined roles and policies supported by DEW describes the KMS system policies.

**Table 1** KMS permissions
Role/Policy Name	Description	Type
KMS Administrator	Administrator permissions for the encryption key	System role
KMS CMKFullAccess	All permissions for the encryption keys	System policy

Authorization Process

Figure 1 Authorizing the KMS access permission to a user

Create a user group on the IAM console and grant the user group the KMS CMKFullAccess permission (indicating full permissions for keys).
Create a user on the IAM console and add the user to the user group created in 1.
Log in to the console as newly created user, and verify that the user only has read permissions for DEW.

Creating a User and Authorizing the User the Permission to Access KMS

Prerequisites

Authorization Process