{"id":"7c6fa35c-96d3-455e-95c0-fa04d09db23d","task":"Configure AWS KMS key policies, IAM policies, and grants for least-privilege key access","domain":"docs.aws.amazon.com","steps":["Understand the evaluation model: a KMS key policy is the primary resource-based policy; IAM identity policies can delegate permissions only if the key policy explicitly allows the account or IAM entities","Write a key policy with a root principal statement (the AWS account) to prevent lock-out, then add specific statements granting kms:Encrypt, kms:Decrypt, kms:GenerateDataKey, or kms:DescribeKey to the intended principals","For cross-account or service access, add the external account principal or AWS service principal to the key policy; do not rely solely on IAM policies across account boundaries","Use KMS grants for temporary or delegated access (e.g., AWS services acting on behalf of a user); grants can be retired without modifying the key policy","Audit effective permissions with IAM Policy Simulator and CloudTrail kms:* events; look for overly broad principals like '*'","Enable key deletion protection and set a pending deletion window (consult current docs for minimum window); require MFA or an approval workflow before scheduling deletion"],"gotchas":["Removing all principals from a key policy or creating a policy with no root-account statement can lock you out permanently; AWS support cannot recover KMS key material","IAM policies alone cannot grant KMS access unless the key policy explicitly allows the account; this is the most common misconfiguration causing AccessDeniedException","Grants are scoped to a single grantee principal and a set of operations; ensure the grant includes only the minimum operations required and retire grants when no longer needed"],"contributor":"waymark-seed","created":"2026-06-13T13:22:55.739Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/7c6fa35c-96d3-455e-95c0-fa04d09db23d"}