



      "Action": [
      "Effect": "Allow",
      "Resource": "*"

kms policy 

    "Id": "key-consolepolicy",
    "Version": "2012-10-17",
    "Statement": [
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxxxxxxxxx:root"
            "Action": "kms:*",
            "Resource": "*"


Allowing multiple IAM users to access a CMK
IAM groups are not valid principals in a key policy. To allow multiple IAM users to access a CMK, do one of
the following:
• Add each IAM user to the key policy. This approach requires that you update the key policy each time
the list of authorized users changes.
• Ensure that the key policy includes the statement that enables IAM policies to allow access to the
CMK (p. 72). Then create an IAM policy that allows access to the CMK, and then attach that policy to
an IAM group that contains the authorized IAM users. Using this approach, you don't need to change
any policies when the list of authorized users changes. Instead, you only need to add or remove those
users from the appropriate IAM group.
一文带你了解贝壳密钥管理系统 KMS


. Enables IAM policies to allow access to the CMK.
IAM policies by themselves are not sufficient to allow access to a CMK. However, you can use them
in combination with a CMK's key policy if the key policy enables it. Giving the AWS account full
access to the CMK does this; it enables you to use IAM policies to give IAM users and roles in the
account access to the CMK. It does not by itself give any IAM users or roles access to the CMK, but it
enables you to use IAM policies to do so. For more information, see Managing access to AWS KMS
CMKs (p. 69).






