AWS Security ChangesHomeSearch

AWS kms documentation change

Service: kms · 2026-05-22 · Documentation medium

File: kms/latest/developerguide/conditions-kms.md

Summary

Added documentation for three new KMS condition keys (kms:GrantConstraintSourceArn, kms:GranteeServicePrincipal, kms:RetiringServicePrincipal) and updated references throughout the document. Included usage examples, policy type information, and integration notes.

Security assessment

The changes document new condition keys for granular access control in KMS grants, enhancing security capabilities. However, there is no evidence this addresses a specific security vulnerability. The documentation additions focus on security features for policy enforcement.

Diff

diff --git a/kms/latest/developerguide/conditions-kms.md b/kms/latest/developerguide/conditions-kms.md
index a69f8917f..14363852f 100644
--- a//kms/latest/developerguide/conditions-kms.md
+++ b//kms/latest/developerguide/conditions-kms.md
@@ -7 +7 @@
-kms:BypassPolicyLockoutSafetyCheckkms:CallerAccountkms:CustomerMasterKeySpec (deprecated)kms:CustomerMasterKeyUsage (deprecated)kms:DataKeyPairSpeckms:EncryptionAlgorithmkms:EncryptionContext:context-keykms:EncryptionContextKeyskms:ExpirationModelkms:GrantConstraintTypekms:GrantIsForAWSResourcekms:GrantOperationskms:GranteePrincipalkms:KeyAgreementAlgorithmkms:KeyOriginkms:KeySpeckms:KeyUsagekms:MacAlgorithmkms:MessageTypekms:MultiRegionkms:MultiRegionKeyTypekms:PrimaryRegionkms:ReEncryptOnSameKeykms:RequestAliaskms:ResourceAliaseskms:ReplicaRegionkms:RetiringPrincipalkms:RotationPeriodInDayskms:ScheduleKeyDeletionPendingWindowInDayskms:SigningAlgorithmkms:TrailingDaysWithoutKeyUsagekms:ValidTokms:ViaServicekms:WrappingAlgorithmkms:WrappingKeySpec
+kms:BypassPolicyLockoutSafetyCheckkms:CallerAccountkms:CustomerMasterKeySpec (deprecated)kms:CustomerMasterKeyUsage (deprecated)kms:DataKeyPairSpeckms:EncryptionAlgorithmkms:EncryptionContext:context-keykms:EncryptionContextKeyskms:ExpirationModelkms:GrantConstraintTypekms:GrantIsForAWSResourcekms:GrantOperationskms:GranteePrincipalkms:KeyAgreementAlgorithmkms:KeyOriginkms:KeySpeckms:KeyUsagekms:MacAlgorithmkms:MessageTypekms:MultiRegionkms:MultiRegionKeyTypekms:PrimaryRegionkms:ReEncryptOnSameKeykms:RequestAliaskms:ResourceAliaseskms:ReplicaRegionkms:RetiringPrincipalkms:GrantConstraintSourceArnkms:GranteeServicePrincipalkms:RetiringServicePrincipalkms:RotationPeriodInDayskms:ScheduleKeyDeletionPendingWindowInDayskms:SigningAlgorithmkms:TrailingDaysWithoutKeyUsagekms:ValidTokms:ViaServicekms:WrappingAlgorithmkms:WrappingKeySpec
@@ -107,0 +108,6 @@ For detailed information about the `ForAnyValue` and `ForAllValues` set operator
+  * kms:GrantConstraintSourceArn
+
+  * kms:GranteeServicePrincipal
+
+  * kms:RetiringServicePrincipal
+
@@ -828,0 +835,4 @@ When you create a grant, you can optionally specify a grant constraint to allow
+###### Note
+
+The `kms:GrantConstraintType` condition key only evaluates encryption context grant constraints (`EncryptionContextEquals` and `EncryptionContextSubset`). To control access based on the `SourceArn` grant constraint, use the kms:GrantConstraintSourceArn condition key.
+
@@ -855,0 +866,6 @@ The following example key policy statement uses the `kms:GrantConstraintType` co
+  * kms:GrantConstraintSourceArn
+
+  * kms:GranteePrincipal
+
+  * kms:GranteeServicePrincipal
+
@@ -860,2 +875,0 @@ The following example key policy statement uses the `kms:GrantConstraintType` co
-  * kms:GranteePrincipal
-
@@ -863,0 +878,2 @@ The following example key policy statement uses the `kms:GrantConstraintType` co
+  * kms:RetiringServicePrincipal
+
@@ -894 +910 @@ The following example key policy statement uses the `kms:GrantIsForAWSResource`
-  * kms:GrantConstraintType
+  * kms:GrantConstraintSourceArn
@@ -896 +912 @@ The following example key policy statement uses the `kms:GrantIsForAWSResource`
-  * kms:GrantOperations
+  * kms:GrantConstraintType
@@ -899,0 +916,4 @@ The following example key policy statement uses the `kms:GrantIsForAWSResource`
+  * kms:GranteeServicePrincipal
+
+  * kms:GrantOperations
+
@@ -901,0 +922,2 @@ The following example key policy statement uses the `kms:GrantIsForAWSResource`
+  * kms:RetiringServicePrincipal
+
@@ -947,0 +970,2 @@ If you change the set operator in the policy condition to `ForAnyValue`, the pol
+  * kms:GrantConstraintSourceArn
+
@@ -953,0 +978,2 @@ If you change the set operator in the policy condition to `ForAnyValue`, the pol
+  * kms:GranteeServicePrincipal
+
@@ -955,0 +982,2 @@ If you change the set operator in the policy condition to `ForAnyValue`, the pol
+  * kms:RetiringServicePrincipal
+
@@ -987,0 +1016,2 @@ The following example key policy statement uses the `kms:GranteePrincipal` condi
+  * kms:GrantConstraintSourceArn
+
@@ -993,0 +1024,2 @@ The following example key policy statement uses the `kms:GranteePrincipal` condi
+  * kms:GranteeServicePrincipal
+
@@ -995,0 +1028,2 @@ The following example key policy statement uses the `kms:GranteePrincipal` condi
+  * kms:RetiringServicePrincipal
+
@@ -1621,0 +1656,2 @@ The following example key policy statement allows a user to create grants for th
+  * kms:GrantConstraintSourceArn
+
@@ -1623,0 +1660,4 @@ The following example key policy statement allows a user to create grants for th
+  * kms:GranteePrincipal
+
+  * kms:GranteeServicePrincipal
+
@@ -1627,0 +1668,34 @@ The following example key policy statement allows a user to create grants for th
+  * kms:RetiringServicePrincipal
+
+
+
+
+## kms:GrantConstraintSourceArn
+
+AWS KMS condition keys | Condition type | Value type | API operations | Policy type  
+---|---|---|---|---  
+`kms:GrantConstraintSourceArn` |  ARN |  Single-valued |  `CreateGrant` |  Key policies and IAM policies  
+  
+You can use this condition key to control access to the [CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html) operation based on the `SourceArn` value in the [Constraints](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html#KMS-CreateGrant-request-Constraints) parameter of the request. The `SourceArn` grant constraint is effectively putting an [aws:SourceArn](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn) global condition key into the grant. 
+
+The following example key policy statement uses the `kms:GrantConstraintSourceArn` condition key to allow creating grants for a KMS key only when the `SourceArn` constraint in the grant matches a specific DynamoDB table ARN pattern.
+    
+    
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "arn:aws:iam::111122223333:role/ExampleRole"
+      },
+      "Action": "kms:CreateGrant",
+      "Resource": "*",
+      "Condition": {
+        "ArnLike": {
+          **"kms:GrantConstraintSourceArn": "arn:aws:dynamodb:us-east-1:111122223333:table/ExampleTable*"**
+        }
+      }
+    }
+
+**See also**
+
+  * kms:GrantConstraintType
+
@@ -1629,0 +1704,98 @@ The following example key policy statement allows a user to create grants for th
+  * kms:GranteeServicePrincipal
+
+  * kms:GrantIsForAWSResource
+
+  * kms:GrantOperations
+
+  * kms:RetiringPrincipal
+
+  * kms:RetiringServicePrincipal
+
+
+
+
+## kms:GranteeServicePrincipal
+
+AWS KMS condition keys | Condition type | Value type | API operations | Policy type  
+---|---|---|---|---  
+`kms:GranteeServicePrincipal` |  String |  Single-valued |  `CreateGrant` |  Key policies and IAM policies  
+  
+You can use this condition key to control access to the [CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html) operation based on the value of the [GranteeServicePrincipal](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html#KMS-CreateGrant-request-GranteeServicePrincipal) parameter in the request. The value is the AWS [service principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services) specified as the grantee of the grant (for example, `service-name.amazonaws.com`). 
+
+The following example key policy statement uses the `kms:GranteeServicePrincipal` condition key to allow creating grants for a KMS key only when the grantee service principal in the grant is ``service-name`.amazonaws.com`.
+    
+    
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "arn:aws:iam::111122223333:role/ExampleRole"
+      },
+      "Action": "kms:CreateGrant",
+      "Resource": "*",
+      "Condition": {
+        "StringEquals": {
+          **"kms:GranteeServicePrincipal": "service-name.amazonaws.com"**
+        }
+      }
+    }
+
+**See also**
+
+  * kms:GrantConstraintSourceArn
+
+  * kms:GrantConstraintType
+
+  * kms:GranteePrincipal
+
+  * kms:GrantIsForAWSResource
+
+  * kms:GrantOperations
+
+  * kms:RetiringPrincipal
+
+  * kms:RetiringServicePrincipal
+
+
+
+
+## kms:RetiringServicePrincipal
+
+AWS KMS condition keys | Condition type | Value type | API operations | Policy type  
+---|---|---|---|---  
+`kms:RetiringServicePrincipal` |  String |  Single-valued |  `CreateGrant` |  Key policies and IAM policies  
+  
+You can use this condition key to control access to the [CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html) operation based on the value of the [RetiringServicePrincipal](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html#KMS-CreateGrant-request-RetiringServicePrincipal) parameter in the request. The value is the AWS [service principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services) specified as the retiring principal of the grant (for example, `service-name.amazonaws.com`). 
+
+The following example key policy statement uses the `kms:RetiringServicePrincipal` condition key to allow creating grants for a KMS key only when the retiring service principal in the grant is ``service-name`.amazonaws.com`.
+    
+    
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "arn:aws:iam::111122223333:role/ExampleRole"
+      },
+      "Action": "kms:CreateGrant",
+      "Resource": "*",
+      "Condition": {
+        "StringEquals": {
+          **"kms:RetiringServicePrincipal": "service-name.amazonaws.com"**
+        }
+      }
+    }
+
+**See also**
+
+  * kms:GrantConstraintSourceArn
+
+  * kms:GrantConstraintType
+
+  * kms:GranteePrincipal
+
+  * kms:GranteeServicePrincipal
+