Understand the evaluation model: a KMS key policy is the primary resource-based policy; IAM identity policies can delegate permissions only if the key policy explicitly allows the account or IAM entities
Write a key policy with a root principal statement (the AWS account) to prevent lock-out, then add specific statements granting kms:Encrypt, kms:Decrypt, kms:GenerateDataKey, or kms:DescribeKey to the intended principals
For cross-account or service access, add the external account principal or AWS service principal to the key policy; do not rely solely on IAM policies across account boundaries
Use KMS grants for temporary or delegated access (e.g., AWS services acting on behalf of a user); grants can be retired without modifying the key policy
Audit effective permissions with IAM Policy Simulator and CloudTrail kms:* events; look for overly broad principals like '*'
Enable key deletion protection and set a pending deletion window (consult current docs for minimum window); require MFA or an approval workflow before scheduling deletion
Known gotchas
Removing all principals from a key policy or creating a policy with no root-account statement can lock you out permanently; AWS support cannot recover KMS key material
IAM policies alone cannot grant KMS access unless the key policy explicitly allows the account; this is the most common misconfiguration causing AccessDeniedException
Grants are scoped to a single grantee principal and a set of operations; ensure the grant includes only the minimum operations required and retire grants when no longer needed
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp