AWS KMS

Hint

All current KMS Key properties are supported. This feature was tested from copy-pasting the AWS examples.

IAM Access types

Three access types have been created for the table:

  • EncryptDecrypt

  • EncryptOnly

  • DecryptOnly

  • SQS

KMS Permissions scaffold
{
    "SQS": {
        "Action": [
            "kms:GenerateDataKey",
            "kms:Decrypt"
        ],
        "Effect": "Allow"
    },
    "DecryptOnly": {
        "Action": [
            "kms:Decrypt"
        ],
        "Effect": "Allow"
    },
    "EncryptOnly": {
        "Action": [
            "kms:Encrypt",
            "kms:GenerateDataKey*",
            "kms:ReEncrypt*"
        ],
        "Effect": "Allow"
    },
    "EncryptDecrypt": {
        "Action": [
            "kms:Encrypt",
            "kms:Decrypt",
            "kms:ReEncrypt*",
            "kms:GenerateDataKey*",
            "kms:CreateGrant",
            "kms:DescribeKey"
        ],
        "Effect": "Allow"
    }
}