404

**To change the key policy for a KMS key**

The following ``put-key-policy`` example changes the key policy for a customer managed key. 

To begin, create a key policy and save it in a local JSON file. In this example, the file is ``key_policy.json``. You can also specify the key policy as a string value of the ``policy`` parameter. 

The first statement in this key policy gives the AWS account permission to use IAM policies to control access to the KMS key. The second statement gives the ``test-user`` user permission to run the ``describe-key`` and ``list-keys`` commands on the KMS key.  

Contents of ``key_policy.json``::

    {
        "Version" : "2012-10-17",
        "Id" : "key-default-1",
        "Statement" : [
            {
                "Sid" : "Enable IAM User Permissions",
                "Effect" : "Allow",
                "Principal" : {
                    "AWS" : "arn:aws:iam::111122223333:root"
                },
                "Action" : "kms:*",
                "Resource" : "*"
            },
            {
                "Sid" : "Allow Use of Key",
                "Effect" : "Allow",
                "Principal" : {
                    "AWS" : "arn:aws:iam::111122223333:user/test-user"
                },
                "Action" : [
                    "kms:DescribeKey",
                    "kms:ListKeys"
                ],
                "Resource" : "*"
            }
        ]
    }

To identify the KMS key, this example uses the key ID, but you can also usa key ARN. To specify the key policy, the command uses the ``policy`` parameter. To indicate that the policy is in a file, it uses the required ``file://`` prefix. This prefix is required to identify files on all supported operating systems. Finally, the command uses the ``policy-name`` parameter with a value of ``default``. This parameter is required, even though ``default`` is the only valid value. ::

    aws kms put-key-policy \
        --policy-name default \
        --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
        --policy file://key_policy.json

This command does not produce any output. To verify that the command was effective, use the ``get-key-policy`` command. The following example command gets the key policy for the same KMS key. The ``output`` parameter with a value of ``text`` returns a text format that is easy to read. ::

    aws kms get-key-policy \
        --policy-name default \
        --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
        --output text

Output::

    {
        "Version" : "2012-10-17",
        "Id" : "key-default-1",
        "Statement" : [ 
            {
                "Sid" : "Enable IAM User Permissions",
                "Effect" : "Allow",
                "Principal" : {
                    "AWS" : "arn:aws:iam::111122223333:root"
                },
                "Action" : "kms:*",
                "Resource" : "*"
                }, 
                {
                "Sid" : "Allow Use of Key",
                "Effect" : "Allow",
                "Principal" : {
                    "AWS" : "arn:aws:iam::111122223333:user/test-user"
                },
                "Action" : [ "kms:Describe", "kms:List" ],
                "Resource" : "*"
            } 
        ]
    }

For more information, see `Changing a Key Policy <https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying.html>`__ in the *AWS Key Management Service Developer Guide*.

Name	Type	Size	Permission
cancel-key-deletion.rst	File	884 B	0644
connect-custom-key-store.rst	File	1.08 KB	0755
create-alias.rst	File	729 B	0644
create-custom-key-store.rst	File	3.75 KB	0755
create-grant.rst	File	1.18 KB	0755
create-key.rst	File	12.17 KB	0644
decrypt.rst	File	4.44 KB	0644
delete-alias.rst	File	502 B	0644
delete-custom-key-store.rst	File	1.47 KB	0755
delete-imported-key-material.rst	File	656 B	0644
describe-custom-key-stores.rst	File	5.32 KB	0755
describe-key.rst	File	5.76 KB	0644
disable-key-rotation.rst	File	679 B	0644
disable-key.rst	File	503 B	0644
disconnect-custom-key-store.rst	File	1.25 KB	0644
enable-key-rotation.rst	File	708 B	0644
enable-key.rst	File	1.02 KB	0644
encrypt.rst	File	3.47 KB	0644
generate-data-key-pair-without-plaintext.rst	File	1.66 KB	0644
generate-data-key-pair.rst	File	1.73 KB	0644
generate-data-key-without-plaintext.rst	File	1.35 KB	0644
generate-data-key.rst	File	3.17 KB	0644
generate-random.rst	File	3.16 KB	0644
get-key-policy.rst	File	956 B	0644
get-key-rotation-status.rst	File	656 B	0644
get-parameters-for-import.rst	File	1.36 KB	0644
get-public-key.rst	File	2.31 KB	0644
import-key-material.rst	File	1.51 KB	0644
list-aliases.rst	File	2.72 KB	0755
list-grants.rst	File	2.55 KB	0755
list-key-policies.rst	File	926 B	0644
list-keys.rst	File	1.04 KB	0644
list-resource-tags.rst	File	980 B	0644
list-retirable-grants.rst	File	2.92 KB	0644
put-key-policy.rst	File	3.44 KB	0755
re-encrypt.rst	File	3.82 KB	0644
retire-grant.rst	File	810 B	0644
revoke-grant.rst	File	776 B	0644
schedule-key-deletion.rst	File	1.44 KB	0644
sign.rst	File	3.08 KB	0644
tag-resource.rst	File	891 B	0644
untag-resource.rst	File	836 B	0644
update-alias.rst	File	814 B	0644
update-custom-key-store.rst	File	6.61 KB	0755
update-key-description.rst	File	1.85 KB	0644
verify.rst	File	1.38 KB	0644

[ Avaa Bypassed ]

Upload:

Command:

Filemanager

Server Info

System Info

User Info