IAM Policies: Allow a User Read-Only Access to All CMKs through the AWS KMS Console

My Saved Presets

An IAM policy that allows IAM users read-only access to the AWS KMS console. That is, users can use the console to view all CMKs, but they cannot make changes to any CMKs or create new ones.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "kms:ListKeys",
                "kms:ListAliases",
                "kms:DescribeKey",
                "kms:ListKeyPolicies",
                "kms:GetKeyPolicy",
                "kms:GetKeyRotationStatus",
                "iam:ListUsers",
                "iam:ListRoles"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

No policy variables to customize

* Required field

Loading Library ...

Allow a User Read-Only Access to All CMKs through the AWS KMS Console

Actions

Customize Template