{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "IAMrelated",
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*"
},
{
"Sid": "KMSAdmin",
"Effect": "Allow",
"Action": [
"kms:EnableKey",
"kms:GetPublicKey",
"kms:ImportKeyMaterial",
"kms:UntagResource",
"kms:PutKeyPolicy",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:Verify",
"kms:ListResourceTags",
"kms:CancelKeyDeletion",
"kms:ReplicateKey",
"kms:GenerateDataKeyPair",
"kms:GetParametersForImport",
"kms:SynchronizeMultiRegionKey",
"kms:GenerateMac",
"kms:TagResource",
"kms:UpdatePrimaryRegion",
"kms:GetKeyRotationStatus",
"kms:ScheduleKeyDeletion",
"kms:ReEncryptTo",
"kms:DescribeKey",
"kms:Sign",
"kms:CreateGrant",
"kms:EnableKeyRotation",
"kms:ListKeyPolicies",
"kms:UpdateKeyDescription",
"kms:ListRetirableGrants",
"kms:GetKeyPolicy",
"kms:DeleteImportedKeyMaterial",
"kms:GenerateDataKeyPairWithoutPlaintext",
"kms:DisableKey",
"kms:ReEncryptFrom",
"kms:DisableKeyRotation",
"kms:RetireGrant",
"kms:ListGrants",
"kms:VerifyMac",
"kms:UpdateAlias",
"kms:RevokeGrant",
"kms:GenerateDataKey",
"kms:CreateAlias",
"kms:DeleteAlias"
],
"Resource": [
"arn:aws:kms:*:123456789012:alias/*",
"arn:aws:kms:*:123456789012:key/*"
]
},
{
"Sid": "ListKMS",
"Effect": "Allow",
"Action": [
"kms:DescribeCustomKeyStores",
"kms:ListKeys",
"kms:DeleteCustomKeyStore",
"kms:GenerateRandom",
"kms:UpdateCustomKeyStore",
"kms:ListAliases",
"kms:DisconnectCustomKeyStore",
"kms:CreateKey",
"kms:ConnectCustomKeyStore",
"cloudhsm:DescribeClusters",
"kms:CreateCustomKeyStore"
],
"Resource": "*"
}
]
}
