The last method of allowing access to your CMKs is via grants. Grants effectively allow you to programmatically delegate your permissions to another principal, but at a more granular level than key policies can.
It is not possible to create grants from within the AWS Management Console; they are programmatically created, and so you can use the AWS CLI instead.
A grant consists of two parties, the user who creates the grant, and the grantee who then uses that grant to perform cryptographic operations. However, the permissions given to the grantee can only be equal to, or more restrictive than, those associated with the user who issued and created the grant.
For a user to be able to create and revoke grants, they must have the following permissions, either within the key policy, or given via an IAM identity-based policy, providing IAM permissions are allowed:
- "kms:CreateGrant"
- "kms:ListGrants"
- "kms:RevokeGrant"
To facilitate...