Understanding who has access to a KMS key can be a little confusing as there are three potential ways of gaining access to and using a KMS key through the key policy, with IAM policies, and also Grants.

Determining the correct level of access means you need to understand how these access methods all work in conjunction with one another. So let's look at a simple example to ensure we understand some key points. In this scenario, we have three KMS keys, and four users.

Here you can see the KMS keys, users and scenario statements that are applicable to this example.

So we have three KMS Keys: KeyA, KeyB, and KeyC, and we have four Users: Alana, Danny, Carlos, and Jorge.

So the Scenario statements are: 

• Key-A key policy enables the use of IAM user permissions to be used to manage access.
• Key-B key policy allows access for Danny and Carlos to perform cryptographic operations. Controlling access via IAM has not been enabled.
• Key-C key policy enables the use of IAM user permissions to be used to manage access. Access is also explicitly denied for Danny, Carlos, but full cryptographic. operations access is given to Alana and Jorge. Jorge also has access to create grants.
• Alana’s IAM policy permissions allows all KMS actions to Key-A and Key-B.
• Danny has no IAM policy permissions.
• Carlos’ IAM policy permissions allows KMS encrypt access to Key-A.
• Jorge’s IAM policy permissions allow all KMS actions to Key-B and Key-C.

So let's now look at each of these users' access to see if they can perform cryptographic operations, starting with Alana.

Alana’s access to Key-A is successful as her IAM policy permissions allows all KMS actions against Key-A and Key-A allows for IAM policies to be used to manage access. Her access to Key-B is denied as the key policy for this Key does not allow for IAM policies to be used. Alana’s access to Key-C is successful as the key policy allows access despite her having no IAM policy related permissions, access is given purely through the key policy.

Now let's take a look at Danny. His access to Key-A is denied as there are no explicit entries in the key policy for Danny’s access and he has no IAM policy permissions associated. His access to Key-B is successful as the key policy allows Danny access despite him having no IAM policy permissions. Danny’s access to Key-C is denied due to explicit deny actions within the key policy.  An explicit ‘deny’ will always overrule any other allow. 

Now let's look at Carlos’ access. For Key-A, he has ‘encrypt’ access only which is given through his IAM policy permissions, and IAM policy permissions are allowed to be used to manage access. For Key-B, access is also successful as the key policy allows him access. His IAM policy permissions are irrelevant as the key policy does not allow for IAM policies to be used to manage access. And his access to Key-C is denied due to the explicit deny actions within the key policy and an explicit deny will overrule any other allow.

And finally Jorge’s access. He has no access to Key-A as neither the key policy or his IAM policy permissions provides access. He has no access to Key-B as the key policy for this Key does not allow for IAM policies to be used.  So despite access being granted at the IAM Policy level for Jorge, the Key policy does not allow for IAM policies to be used and so this is disregarded. Access to Key C is allowed for KMS cryptographic operations in addition to the ability to create grants.