Overview

An IAM policy that allows IAM users read-only access to the AWS KMS console. That is, users can use the console to view all CMKs, but they cannot make changes to any CMKs or create new ones.

Configuration Templates

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "kms:ListKeys",
                "kms:ListAliases",
                "kms:DescribeKey",
                "kms:ListKeyPolicies",
                "kms:GetKeyPolicy",
                "kms:GetKeyRotationStatus",
                "iam:ListUsers",
                "iam:ListRoles"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Actions



Customize Policy
No policy variables to customize
* Required field

Sources and Documentation

Configuration Source: AWS Documentation

Additional Documentation: