How can an AWS KMS customer master key (CMK) be constrained to work with only Amazon S3?

By:
In: SCS-C01
Tagged:
With: 1 Comment
An Application team has requested a new AWS KMS master key for use with Amazon S3, but the organizational security policy requires separate master keys for different AWS services to limit blast radius.

How can an AWS KMS customer master key (CMK) be constrained to work with only Amazon S3?

Configure the CMK key policy to allow only the Amazon S3 service to use the kms:Encrypt action.

Configure the CMK key policy to allow AWS KMS actions only when the kms:ViaService condition matches the Amazon S3 service name.

Configure the IAM user’s policy to allow KMS to pass a role to Amazon S3.

Configure the IAM user’s policy to allow only Amazon S3 operations when they are combined with the CMK.

Explanations:

The key policy cannot directly restrict KMS actions to only Amazon S3 by allowing only thekms:Encryptaction. This is too broad and does not properly constrain the CMK to only S3.

Thekms:ViaServicecondition can be used in the CMK key policy to restrict its usage to only the Amazon S3 service, ensuring that the CMK can only be used by S3 operations.

Allowing KMS actions to pass a role to Amazon S3 is unrelated to limiting the CMK’s usage to only S3. The key policy should be used for service-specific constraints, not role passing.

The IAM user’s policy governs permissions for specific actions, but it does not limit the CMK usage to a specific service like S3. The CMK’s key policy is responsible for this restriction.

2025-10-14

1 Comment

  1. Dylan
    Author

    To the best of my knowledge, the answer is:
    Configure the CMK key policy to allow AWS KMS actions only when the kms:ViaService condition matches the Amazon S3 service name.

Leave a Reply

Your email address will not be published. Required fields are marked *

three + two =