Understanding AWS KMS Roles - Creators, Administrators, and Users

all aws aws kms aws security Feb 07, 2024


AWS KMS is a pivotal service for managing encryption keys that protect our data. Understanding the distinct roles involved in managing KMS keys—Key Creators, Key Administrators, and Key Users—is essential when we're implementing security measures. Let's break down these roles for clarity and simplicity.

1. Key Creators

Who Are They? Key Creators are the individuals or services responsible for generating new KMS keys within AWS. This role is the starting point in the lifecycle of a key.

The Permissions List (To be given through IAM / IAM Identity Center):

  • kms:CreateKey - Allows for the creation of new KMS keys.
  • kms:TagResource - Optional, but useful for tagging keys during creation for organization and tracking.

Implementation Tips:

  • When creating a key, consider the key's purpose and whether it should be symmetric or asymmetric.
  • Apply relevant tags during creation to help categorize and manage keys effectively, such as tagging keys with their intended use or associated project.

2. Key Administrators

Who Are They? Key Administrators manage the KMS key's lifecycle and permissions. They are tasked with tasks like key creation, rotation, enabling/disabling keys, and managing access.

The Permissions List:

  • kms:Create*: Allows the creation of new KMS resources, such as keys and aliases. This permission is essential for Key Creators to initiate new cryptographic keys.

  • kms:Describe*: Provides detailed information about KMS resources, including keys and their metadata. This is crucial for administrative tasks and auditing purposes.

  • kms:Enable*: Permits enabling KMS resources that may have been disabled, ensuring they can be used for cryptographic operations again.

  • kms:List*: Allows listing of KMS resources, facilitating the management and organization of keys and their attributes.

  • kms:Put*: Enables the attachment of policies or other key material to KMS resources, important for setting up and modifying key configurations and policies.

  • kms:Update*: Allows for modifications to existing KMS resources, such as updating key descriptions or key policies, vital for maintaining current key management practices.

  • kms:Revoke*: Permits revocation of permissions or access to KMS resources, an important security feature for managing access control.

  • kms:Disable*: Allows for the disabling of KMS keys, preventing their use for cryptographic operations and securing resources that are not currently needed.

  • kms:Get*: Provides read access to KMS resources, such as viewing key policies or retrieving encrypted data, essential for day-to-day operations and access control.

  • kms:Delete*: Enables the deletion of KMS resources, such as removing unused keys or aliases, an important aspect of resource lifecycle management.

  • kms:TagResource: Allows adding tags to KMS resources, aiding in organization, categorization, and cost tracking for KMS keys.

  • kms:UntagResource: Permits the removal of tags from KMS resources, helping maintain accurate and current tagging for keys and other resources.

  • kms:ScheduleKeyDeletion: Enables scheduling the deletion of a KMS key, an important step in the key lifecycle for retiring keys that are no longer needed.

  • kms:CancelKeyDeletion: Allows the cancellation of a previously scheduled key deletion, ensuring that keys can be retained if their deletion is no longer required.

Implementation Tips:

  • Regularly review and update key policies to adhere to the principle of least privilege.
  • Enable key rotation for customer-managed keys to enhance security.
  • Use aliases to simplify key management and reference in applications.

3. Key Users

Who Are They? Key Users are individuals or applications that use KMS keys for cryptographic operations, such as encrypting or decrypting data.

The Permissions List:

  • kms:Encrypt: Allows for the encryption of data using a specified KMS key. This permission is necessary for applications and services that need to encrypt data before storing or transmitting it securely.

  • kms:Decrypt: Permits the decryption of data that was previously encrypted with a KMS key. Essential for applications and services that need to access or process encrypted data.

  • kms:ReEncrypt*: Enables the decryption of data encrypted under one KMS key and its re-encryption under another KMS key without exposing the plaintext data. Useful for key rotation and changing data encryption schemas.

  • kms:GenerateDataKey*: Allows for the creation of data encryption keys that are encrypted under a KMS master key. These data keys can then be used for encrypting data outside of KMS, providing an additional layer of security for data at rest.

  • kms:DescribeKey: Provides detailed information about a KMS key, including its key policy, usage, and other metadata. This permission is crucial for administrative and auditing purposes to understand and manage key configurations and permissions.

Implementation Tips:

  • Ensure key policies and IAM policies are correctly configured to grant only necessary permissions.
  • Use the kms:ViaService condition in key policies to restrict key usage to specific AWS services, enhancing security.


AWS KMS roles—Key Creators, Key Administrators, and Key Users—play specific and crucial roles in the lifecycle of encryption keys. By understanding and correctly implementing these roles, we can ensure a secure and efficient encryption key management system within our AWS environment. Whether we're implementing security measures or studying for an AWS certification, a solid grasp of these roles is fundamental.

Stay connected with news and updates!

Join our mailing list to receive the latest news and updates from our team.
Don't worry, your information will not be shared.

We hate SPAM. We will never sell your information, for any reason.