I now want to look at permissions associated with the CMK. Earlier, when I was explaining how to create a customer-managed CMK, we had options to review and modify key administrators and key users, which had an effect on the resulting CMK key policy.
The main function of the key policy is to determine who can both use the key to perform cryptographic operations, such as encrypt, decrypt, GenerateDataKey, and many more, in addition to who can administer the CMK to perform functions such as deleting/revoking the CMK and importing key material into the CMK.
The policy itself is considered a resource-based policy as it is tied to the CMK itself and, as a result, it's not possible to use a CMK for any encryption unless it has a configured key policy attached.
Much like IAM policies, key policies are JSON-based and appear much like other IAM access policies from a syntax and structure point of view, so if you are familiar with IAM policies, then key policies will...