Start course

This course explores how to enforce data security measures within the AWS Key Management Service to ensure that the appropriate controls are in place to effectively protect both company and customer data from being accessed by unauthorized parties.

Learning Objectives

  • Understand how you can use Key Policies, IAM policies, and Grants to control access to KMS keys.
  • Learn how to create a new KMS Key and edit key policies.
  • Learn how a user can delegate temporary permissions to another principal using grants.

Intended Audience

Anyone with the responsibility of enforcing data security measures within AWS to ensure that both company and customer data from being accessed by unauthorized parties.


To get the most out of this course, you should have a basic understanding of the AWS Key Management Service and some of the core AWS services. You should also be familiar with the format and syntax of IAM Policies.



Hello and welcome to this final lecture of this course where I just want to quickly recap some of the key points taken from the previous lectures.  

I began this course focusing on KMS permissions and key policies, and within this lecture, I explained that:

  • Key policies are resource based policies and are tied to your KMS key.
  • The key policy is JSON based and the document syntax is much like that of IAM policies.
  • To enable IAM Permissions to be effective as an access control method you must enable them within the key policy.
  • If you don’t enable IAM permissions then any IAM policy that allows access to the key will be ignored, unless they are being used to deny access.
  • Key Administrators can either be users or roles.
  • Key admins can only administer the KMS key and not use it to perform any encryption functions.
  • Key admins can delete the key if access is given to do so.
  • Key admins can perform operations such as Update, Delete, Enable, ScheduleKeyDeletion, etc.
  • Key users define who can use the key to perform cryptographic functions.
  • Operations performed by Key users include both encrypt and decrypt data, re-encrypt data, generate data keys from the KMS key, and also describe the key.
  • Grants allow you to delegate a subset of permissions that a Key user has to another principal on a temporary basis without having to update the Key Policy.
  • Grants are also used by different AWS services that integrate with KMS.  
  • Grants can only be created using the CLI.
  • After creating a grant, there could be a delay until the operation achieves eventual consistency.

Following this lecture, I then gave a demonstration showing you how to create a new KMS key using the AWS Management Console and how the key policy is built to include key administrators, users, and grants. 

Finally, I covered the policy evaluation logic to explain how access is granted when key policies, IAM policies, and Grants are all being used to grant access and which permissions override others.

That now brings me to the end of this lecture and to the end of this course, and so you should now have a greater understanding of some of the different methods you can use to secure your KMS keys.

Feedback on our courses here at Cloud Academy is valuable to both us as trainers and any students looking to take the same course in the future. If you have any feedback, positive or negative, it would be greatly appreciated if you could contact

Thank you for your time and good luck with your continued learning of cloud computing. Thank you.

About the Author
Learning Paths

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.

To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.

Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.

He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.

In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.

Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.