本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# AWS KMS 許可
此資料表旨在協助您了解 AWS KMS 許可,以便控制對 AWS KMS 資源的存取。欄標題的定義顯示在表格下方。
您也可以在*服務授權參考*主題[的動作、資源和條件索引鍵 AWS Key Management Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awskeymanagementservice.html)中了解 AWS KMS 許可。然而,該主題不會列出您可以用於細化每個許可的所有條件金鑰。
如需哪些 AWS KMS 操作對對稱加密 KMS 金鑰、非對稱 KMS 金鑰和 HMAC KMS 金鑰有效的詳細資訊,請參閱 [金鑰類型參考](symm-asymm-compare.md)。
**注意**
您可能需要水平或垂直捲動,才能查看資料表中的所有資料。
- ** [CancelKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_CancelKeyDeletion.html) `kms:CancelKeyDeletion` **
- **Policy type (政策類型):** 金鑰政策
- **跨帳戶使用:** 否
- **資源 (適用於 IAM 政策):** KMS 金鑰
- **AWS KMS 條件索引鍵:** *KMS 金鑰操作的條件:*
[kms:CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms:KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms:KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms:KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms:MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms:MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms:ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
[aws:ResourceTag/*tag-key*](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) (AWS 全域條件金鑰)
[kms:ViaService](conditions-kms.md#conditions-kms-via-service)
- **[ConnectCustomKeyStore](https://docs.aws.amazon.com/kms/latest/APIReference/API_ConnectCustomKeyStore.html) `kms:ConnectCustomKeyStore`**
- **Policy type (政策類型):** IAM 政策
- **跨帳戶使用:** 否
- **資源 (適用於 IAM 政策):** `*`
- **AWS KMS 條件索引鍵:** [kms:CallerAccount](conditions-kms.md#conditions-kms-caller-account)
- ** [CreateAlias](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateAlias.html) `kms:CreateAlias` 若要使用此操作時,呼叫者需要兩個資源上的 `kms:CreateAlias` 許可: [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/kms/latest/developerguide/kms-api-permissions-reference.html) 如需詳細資訊,請參閱[控制對別名的存取](alias-access.md)。 **
- **Policy type (政策類型):** IAM 政策 (適用於別名) / **跨帳戶使用:** 否 / **資源 (適用於 IAM 政策):** Alias (別名) / **AWS KMS 條件索引鍵:** 無 (控制對別名的存取時)
- **Policy type (政策類型):** KMS 政策 (適用於 KMS 金鑰) / **跨帳戶使用:** 否 / **資源 (適用於 IAM 政策):** KMS 金鑰 / **AWS KMS 條件索引鍵:** *KMS 金鑰操作的條件:*
[kms:CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms:KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms:KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms:KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms:MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms:MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms:ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
[aws:ResourceTag/*tag-key*](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) (AWS 全域條件金鑰)
[kms:ViaService](conditions-kms.md#conditions-kms-via-service)
- **[CreateCustomKeyStore](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateCustomKeyStore.html)`kms:CreateCustomKeyStore`**
- **Policy type (政策類型):** IAM 政策
- **跨帳戶使用:** 否
- **資源 (適用於 IAM 政策):** `*`
- **AWS KMS 條件索引鍵:** [kms:CallerAccount](conditions-kms.md#conditions-kms-caller-account)
- ** [CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html) `kms:CreateGrant` **
- **Policy type (政策類型):** 金鑰政策
- **跨帳戶使用:** 是
- **資源 (適用於 IAM 政策):** KMS 金鑰
- **AWS KMS 條件索引鍵:** *加密內容條件:*
[kms:EncryptionContext:*context-key*](conditions-kms.md#conditions-kms-encryption-context-keys)
[kms:EncryptionContextKeys](conditions-kms.md#conditions-kms-encryption-context-keys)
*授予條件:*
[kms:GrantConstraintType](conditions-kms.md#conditions-kms-grant-constraint-type)
[kms:GranteePrincipal](conditions-kms.md#conditions-kms-grantee-principal)
[kms:GrantIsForAWSResource](conditions-kms.md#conditions-kms-grant-is-for-aws-resource)
[kms:GrantOperations](conditions-kms.md#conditions-kms-grant-operations)
[kms:RetiringPrincipal](conditions-kms.md#conditions-kms-retiring-principal)
*KMS 金鑰操作的條件:*
[kms:CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms:KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms:KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms:KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms:MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms:MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms:ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
[aws:ResourceTag/*tag-key*](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) (AWS 全域條件金鑰)
[kms:ViaService](conditions-kms.md#conditions-kms-via-service)
- ** [CreateKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateKey.html) `kms:CreateKey` **
- **Policy type (政策類型):** IAM 政策
- **跨帳戶使用:** 否
- **資源 (適用於 IAM 政策):** `*`
- **AWS KMS 條件索引鍵:** [kms:BypassPolicyLockoutSafetyCheck](conditions-kms.md#conditions-kms-bypass-policy-lockout-safety-check)
[kms:CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms:KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms:KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms:KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms:MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms:MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms:ViaService](conditions-kms.md#conditions-kms-via-service)
[aws:RequestTag/*tag-key*](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag) (AWS 全域條件金鑰)
[aws:ResourceTag/*tag-key*](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) (AWS 全域條件金鑰)
[aws:TagKeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys) (AWS 全域條件金鑰)
- ** [解密](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html) `kms:Decrypt` **
- **Policy type (政策類型):** 金鑰政策
- **跨帳戶使用:** 是
- **資源 (適用於 IAM 政策):** KMS 金鑰
- **AWS KMS 條件索引鍵:** *密碼編譯操作的條件*
[kms:EncryptionAlgorithm](conditions-kms.md#conditions-kms-encryption-algorithm)
[kms:RequestAlias](conditions-kms.md#conditions-kms-request-alias)
*加密內容條件:*
[kms:EncryptionContext:*context-key*](conditions-kms.md#conditions-kms-encryption-context-keys)
[kms:EncryptionContextKeys](conditions-kms.md#conditions-kms-encryption-context-keys)
*KMS 金鑰操作的條件:*
[kms:CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms:KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms:KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms:KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms:MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms:MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms:ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
[aws:ResourceTag/*tag-key*](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) (AWS 全域條件金鑰)
[kms:ViaService](conditions-kms.md#conditions-kms-via-service)
- ** [DeleteAlias](https://docs.aws.amazon.com/kms/latest/APIReference/API_DeleteAlias.html) `kms:DeleteAlias` 若要使用此操作時,呼叫者需要兩個資源上的 `kms:DeleteAlias` 許可: [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/kms/latest/developerguide/kms-api-permissions-reference.html) 如需詳細資訊,請參閱[控制對別名的存取](alias-access.md)。 **
- **Policy type (政策類型):** IAM 政策 (適用於別名) / **跨帳戶使用:** 否 / **資源 (適用於 IAM 政策):** Alias (別名) / **AWS KMS 條件索引鍵:** 無 (控制對別名的存取時)
- **Policy type (政策類型):** KMS 政策 (適用於 KMS 金鑰) / **跨帳戶使用:** 否 / **資源 (適用於 IAM 政策):** KMS 金鑰 / **AWS KMS 條件索引鍵:** *KMS 金鑰操作的條件:*
[kms:CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms:KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms:KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms:KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms:MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms:MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms:ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
[aws:ResourceTag/*tag-key*](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) (AWS 全域條件金鑰)
[kms:ViaService](conditions-kms.md#conditions-kms-via-service)
- **[DeleteCustomKeyStore](https://docs.aws.amazon.com/kms/latest/APIReference/API_DeleteCustomKeyStore.html)`kms:DeleteCustomKeyStore`**
- **Policy type (政策類型):** IAM 政策
- **跨帳戶使用:** 否
- **資源 (適用於 IAM 政策):** `*`
- **AWS KMS 條件索引鍵:** [kms:CallerAccount](conditions-kms.md#conditions-kms-caller-account)
- ** [DeleteImportedKeyMaterial](https://docs.aws.amazon.com/kms/latest/APIReference/API_DeleteImportedKeyMaterial.html) `kms:DeleteImportedKeyMaterial` **
- **Policy type (政策類型):** 金鑰政策
- **跨帳戶使用:** 否
- **資源 (適用於 IAM 政策):** KMS 金鑰
- **AWS KMS 條件索引鍵:** *KMS 金鑰操作的條件:*
[kms:CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms:KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms:KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms:KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms:MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms:MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms:ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
[aws:ResourceTag/*tag-key*](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) (AWS 全域條件金鑰)
[kms:ViaService](conditions-kms.md#conditions-kms-via-service)
- **[DeriveSharedSecret](https://docs.aws.amazon.com/kms/latest/APIReference/API_DeriveSharedSecret.html)`kms:DeriveSharedSecret`**
- **Policy type (政策類型):** 金鑰政策
- **跨帳戶使用:** 是
- **資源 (適用於 IAM 政策):** KMS 金鑰
- **AWS KMS 條件索引鍵:** *KMS 金鑰操作的條件:*
[kms:CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms:KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms:KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms:KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms:MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms:MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms:ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
[aws:ResourceTag/*tag-key*](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) (AWS 全域條件金鑰)
[kms:ViaService](conditions-kms.md#conditions-kms-via-service)密碼編譯操作的條件:
[kms:KeyAgreementAlgorithm](conditions-kms.md#conditions-kms-key-agreement-algorithm)
- **[DescribeCustomKeyStores](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeCustomKeyStores.html)`kms:DescribeCustomKeyStores`**
- **Policy type (政策類型):** IAM 政策
- **跨帳戶使用:** 否
- **資源 (適用於 IAM 政策):** `*`
- **AWS KMS 條件索引鍵:** [kms:CallerAccount](conditions-kms.md#conditions-kms-caller-account)
- ** [DescribeKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html) `kms:DescribeKey` **
- **Policy type (政策類型):** 金鑰政策
- **跨帳戶使用:** 是
- **資源 (適用於 IAM 政策):** KMS 金鑰
- **AWS KMS 條件索引鍵:** *KMS 金鑰操作的條件:*
[kms:CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms:KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms:KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms:KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms:MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms:MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms:ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
[aws:ResourceTag/*tag-key*](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) (AWS 全域條件金鑰)
[kms:ViaService](conditions-kms.md#conditions-kms-via-service)
*其他條件:*
[kms:RequestAlias](conditions-kms.md#conditions-kms-request-alias)
- ** [DisableKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DisableKey.html) `kms:DisableKey` **
- **Policy type (政策類型):** 金鑰政策
- **跨帳戶使用:** 否
- **資源 (適用於 IAM 政策):** KMS 金鑰
- **AWS KMS 條件索引鍵:** *KMS 金鑰操作的條件:*
[kms:CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms:KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms:KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms:KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms:MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms:MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms:ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
[aws:ResourceTag/*tag-key*](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) (AWS 全域條件金鑰)
[kms:ViaService](conditions-kms.md#conditions-kms-via-service)
- ** [DisableKeyRotation](https://docs.aws.amazon.com/kms/latest/APIReference/API_DisableKeyRotation.html) `kms:DisableKeyRotation` **
- **Policy type (政策類型):** 金鑰政策
- **跨帳戶使用:** 否
- **資源 (適用於 IAM 政策):** KMS 金鑰
- **AWS KMS 條件索引鍵:** *KMS 金鑰操作的條件:*
[kms:CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms:KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms:KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms:KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms:MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms:MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms:ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
[aws:ResourceTag/*tag-key*](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) (AWS 全域條件金鑰)
[kms:ViaService](conditions-kms.md#conditions-kms-via-service)
- **[DisconnectCustomKeyStore](https://docs.aws.amazon.com/kms/latest/APIReference/API_DisconnectCustomKeyStore.html)`kms:DisconnectCustomKeyStore`**
- **Policy type (政策類型):** IAM 政策
- **跨帳戶使用:** 否
- **資源 (適用於 IAM 政策):** `*`
- **AWS KMS 條件索引鍵:** [kms:CallerAccount](conditions-kms.md#conditions-kms-caller-account)
- ** [EnableKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_EnableKey.html) `kms:EnableKey` **
- **Policy type (政策類型):** 金鑰政策
- **跨帳戶使用:** 否
- **資源 (適用於 IAM 政策):** KMS 金鑰
- **AWS KMS 條件索引鍵:** *KMS 金鑰操作的條件:*
[kms:CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms:KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms:KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms:KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms:MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms:MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms:ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
[aws:ResourceTag/*tag-key*](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) (AWS 全域條件金鑰)
[kms:ViaService](conditions-kms.md#conditions-kms-via-service)
- ** [EnableKeyRotation](https://docs.aws.amazon.com/kms/latest/APIReference/API_EnableKeyRotation.html) `kms:EnableKeyRotation` **
- **Policy type (政策類型):** 金鑰政策
- **跨帳戶使用:** 否
- **資源 (適用於 IAM 政策):** KMS 金鑰
- **AWS KMS 條件索引鍵:** *KMS 金鑰操作的條件:*
[kms:CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms:KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms:KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms:KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms:MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms:MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms:ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
[aws:ResourceTag/*tag-key*](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) (AWS 全域條件金鑰)
[kms:ViaService](conditions-kms.md#conditions-kms-via-service)
*自動金鑰輪換條件:*
[kms:RotationPeriodInDays](conditions-kms.md#conditions-kms-rotation-period-in-days)
- ** [加密](https://docs.aws.amazon.com/kms/latest/APIReference/API_Encrypt.html) `kms:Encrypt` **
- **Policy type (政策類型):** 金鑰政策
- **跨帳戶使用:** 是
- **資源 (適用於 IAM 政策):** KMS 金鑰
- **AWS KMS 條件索引鍵:** *密碼編譯操作的條件*
[kms:EncryptionAlgorithm](conditions-kms.md#conditions-kms-encryption-algorithm)
[kms:RequestAlias](conditions-kms.md#conditions-kms-request-alias)
*加密內容條件:*
[kms:EncryptionContext:*context-key*](conditions-kms.md#conditions-kms-encryption-context-keys)
[kms:EncryptionContextKeys](conditions-kms.md#conditions-kms-encryption-context-keys)
*KMS 金鑰操作的條件:*
[kms:CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms:KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms:KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms:KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms:MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms:MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms:ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
[aws:ResourceTag/*tag-key*](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) (AWS 全域條件金鑰)
[kms:ViaService](conditions-kms.md#conditions-kms-via-service)
- ** [GenerateDataKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html) `kms:GenerateDataKey` **
- **Policy type (政策類型):** 金鑰政策
- **跨帳戶使用:** 是
- **資源 (適用於 IAM 政策):** KMS 金鑰
- **AWS KMS 條件索引鍵:** *密碼編譯操作的條件*
[kms:EncryptionAlgorithm](conditions-kms.md#conditions-kms-encryption-algorithm)
[kms:RequestAlias](conditions-kms.md#conditions-kms-request-alias)
*加密內容條件:*
[kms:EncryptionContext:*context-key*](conditions-kms.md#conditions-kms-encryption-context-keys)
[kms:EncryptionContextKeys](conditions-kms.md#conditions-kms-encryption-context-keys)
*KMS 金鑰操作的條件:*
[kms:CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms:KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms:KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms:KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms:MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms:MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms:ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
[aws:ResourceTag/*tag-key*](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) (AWS 全域條件金鑰)
[kms:ViaService](conditions-kms.md#conditions-kms-via-service)
- ** [GenerateDataKeyPair](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyPair.html) `kms:GenerateDataKeyPair` **
- **Policy type (政策類型):** 金鑰政策
- **跨帳戶使用:** 是
- **資源 (適用於 IAM 政策):** KMS 金鑰
產生受對稱加密 KMS 金鑰保護的非對稱資料金鑰對。
- **AWS KMS 條件索引鍵:** *資料金鑰對的條件:*
[kms:DataKeyPairSpec](conditions-kms.md#conditions-kms-data-key-spec)
*密碼編譯操作的條件*
[kms:EncryptionAlgorithm](conditions-kms.md#conditions-kms-encryption-algorithm)
[kms:RequestAlias](conditions-kms.md#conditions-kms-request-alias)
*加密內容條件:*
[kms:EncryptionContext:*context-key*](conditions-kms.md#conditions-kms-encryption-context-keys)
[kms:EncryptionContextKeys](conditions-kms.md#conditions-kms-encryption-context-keys)
*KMS 金鑰操作的條件:*
[kms:CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms:KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms:KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms:KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms:MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms:MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms:ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
[aws:ResourceTag/*tag-key*](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) (AWS 全域條件金鑰)
[kms:ViaService](conditions-kms.md#conditions-kms-via-service)
- ** [GenerateDataKeyPairWithoutPlaintext](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyPairWithoutPlaintext.html) `kms:GenerateDataKeyPairWithoutPlaintext` **
- **Policy type (政策類型):** 金鑰政策
- **跨帳戶使用:** 是
- **資源 (適用於 IAM 政策):** KMS 金鑰
產生受對稱加密 KMS 金鑰保護的非對稱資料金鑰對。
- **AWS KMS 條件索引鍵:** *資料金鑰對的條件:*
[kms:DataKeyPairSpec](conditions-kms.md#conditions-kms-data-key-spec)
*密碼編譯操作的條件*
[kms:EncryptionAlgorithm](conditions-kms.md#conditions-kms-encryption-algorithm)
[kms:RequestAlias](conditions-kms.md#conditions-kms-request-alias)
*加密內容條件:*
[kms:EncryptionContext:*context-key*](conditions-kms.md#conditions-kms-encryption-context-keys)
[kms:EncryptionContextKeys](conditions-kms.md#conditions-kms-encryption-context-keys)
*KMS 金鑰操作的條件:*
[kms:CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms:KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms:KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms:KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms:MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms:MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms:ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
[aws:ResourceTag/*tag-key*](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) (AWS 全域條件金鑰)
[kms:ViaService](conditions-kms.md#conditions-kms-via-service)
- ** [GenerateDataKeyWithoutPlaintext](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyWithoutPlaintext.html) `kms:GenerateDataKeyWithoutPlaintext` **
- **Policy type (政策類型):** 金鑰政策
- **跨帳戶使用:** 是
- **資源 (適用於 IAM 政策):** KMS 金鑰
- **AWS KMS 條件索引鍵:** *密碼編譯操作的條件*
[kms:EncryptionAlgorithm](conditions-kms.md#conditions-kms-encryption-algorithm)
[kms:RequestAlias](conditions-kms.md#conditions-kms-request-alias)
*加密內容條件:*
[kms:EncryptionContext:*context-key*](conditions-kms.md#conditions-kms-encryption-context-keys)
[kms:EncryptionContextKeys](conditions-kms.md#conditions-kms-encryption-context-keys)
*KMS 金鑰操作的條件:*
[kms:CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms:KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms:KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms:KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms:MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms:MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms:ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
[aws:ResourceTag/*tag-key*](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) (AWS 全域條件金鑰)
[kms:ViaService](conditions-kms.md#conditions-kms-via-service)
- **[GenerateMac](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateMac.html)`kms:GenerateMac`**
- **Policy type (政策類型):** 金鑰政策
- **跨帳戶使用:** 是
- **資源 (適用於 IAM 政策):** KMS 金鑰
- **AWS KMS 條件索引鍵:** *KMS 金鑰操作的條件:*
[kms:CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms:KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms:KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms:KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms:MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms:MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms:ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
[aws:ResourceTag/*tag-key*](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) (AWS 全域條件金鑰)
[kms:ViaService](conditions-kms.md#conditions-kms-via-service)密碼編譯操作的條件:
[kms:MacAlgorithm](conditions-kms.md#conditions-kms-mac-algorithm)
[kms:RequestAlias](conditions-kms.md#conditions-kms-request-alias)
- ** [GenerateRandom](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateRandom.html) `kms:GenerateRandom` **
- **Policy type (政策類型):** IAM 政策
- **跨帳戶使用:** N/A
- **資源 (適用於 IAM 政策):** `*`
- **AWS KMS 條件索引鍵:** 無
- ** [GetKeyPolicy](https://docs.aws.amazon.com/kms/latest/APIReference/API_GetKeyPolicy.html) `kms:GetKeyPolicy` **
- **Policy type (政策類型):** 金鑰政策
- **跨帳戶使用:** 否
- **資源 (適用於 IAM 政策):** KMS 金鑰
- **AWS KMS 條件索引鍵:** *KMS 金鑰操作的條件:*
[kms:CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms:KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms:KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms:KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms:MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms:MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms:ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
[aws:ResourceTag/*tag-key*](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) (AWS 全域條件金鑰)
[kms:ViaService](conditions-kms.md#conditions-kms-via-service)
- ** [GetKeyRotationStatus](https://docs.aws.amazon.com/kms/latest/APIReference/API_GetKeyRotationStatus.html) `kms:GetKeyRotationStatus` **
- **Policy type (政策類型):** 金鑰政策
- **跨帳戶使用:** 是
- **資源 (適用於 IAM 政策):** KMS 金鑰
- **AWS KMS 條件索引鍵:** *KMS 金鑰操作的條件:*
[kms:CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms:KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms:KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms:KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms:MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms:MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms:ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
[aws:ResourceTag/*tag-key*](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) (AWS 全域條件金鑰)
[kms:ViaService](conditions-kms.md#conditions-kms-via-service)
- ** [GetParametersForImport](https://docs.aws.amazon.com/kms/latest/APIReference/API_GetParametersForImport.html) `kms:GetParametersForImport` **
- **Policy type (政策類型):** 金鑰政策
- **跨帳戶使用:** 否
- **資源 (適用於 IAM 政策):** KMS 金鑰
- **AWS KMS 條件索引鍵:** [kms:WrappingAlgorithm](conditions-kms.md#conditions-kms-wrapping-algorithm)
[kms:WrappingKeySpec](conditions-kms.md#conditions-kms-wrapping-key-spec)
*KMS 金鑰操作的條件:*
[kms:CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms:KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms:KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms:KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms:MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms:MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms:ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
[aws:ResourceTag/*tag-key*](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) (AWS 全域條件金鑰)
[kms:ViaService](conditions-kms.md#conditions-kms-via-service)
- ** [GetPublicKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html) `kms:GetPublicKey` **
- **Policy type (政策類型):** 金鑰政策
- **跨帳戶使用:** 是
- **資源 (適用於 IAM 政策):** KMS 金鑰
- **AWS KMS 條件索引鍵:** *KMS 金鑰操作的條件:*
[kms:CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms:KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms:KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms:KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms:MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms:MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms:ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
[aws:ResourceTag/*tag-key*](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) (AWS 全域條件金鑰)
[kms:ViaService](conditions-kms.md#conditions-kms-via-service)
*其他條件:*
[kms:RequestAlias](conditions-kms.md#conditions-kms-request-alias)
- ** [ImportKeyMaterial](https://docs.aws.amazon.com/kms/latest/APIReference/API_ImportKeyMaterial.html) `kms:ImportKeyMaterial` **
- **Policy type (政策類型):** 金鑰政策
- **跨帳戶使用:** 否
- **資源 (適用於 IAM 政策):** KMS 金鑰
- **AWS KMS 條件索引鍵:** *KMS 金鑰操作的條件:*
[kms:CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms:KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms:KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms:KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms:MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms:MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms:ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
[aws:ResourceTag/*tag-key*](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) (AWS 全域條件金鑰)
[kms:ViaService](conditions-kms.md#conditions-kms-via-service)
*其他條件:*[kms:ExpirationModel](conditions-kms.md#conditions-kms-expiration-model)
[kms:ValidTo](conditions-kms.md#conditions-kms-valid-to)
- ** [ListAliases](https://docs.aws.amazon.com/kms/latest/APIReference/API_ListAliases.html) `kms:ListAliases` **
- **Policy type (政策類型):** IAM 政策
- **跨帳戶使用:** 否
- **資源 (適用於 IAM 政策):** `*`
- **AWS KMS 條件索引鍵:** 無
- ** [ListGrants](https://docs.aws.amazon.com/kms/latest/APIReference/API_ListGrants.html) `kms:ListGrants` **
- **Policy type (政策類型):** 金鑰政策
- **跨帳戶使用:** 是
- **資源 (適用於 IAM 政策):** KMS 金鑰
- **AWS KMS 條件索引鍵:** *KMS 金鑰操作的條件:*
[kms:CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms:KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms:KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms:KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms:MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms:MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms:ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
[aws:ResourceTag/*tag-key*](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) (AWS 全域條件金鑰)
[kms:ViaService](conditions-kms.md#conditions-kms-via-service)
*其他條件:*
[kms:GrantIsForAWSResource](conditions-kms.md#conditions-kms-grant-is-for-aws-resource)
- ** [ListKeyPolicies](https://docs.aws.amazon.com/kms/latest/APIReference/API_ListKeyPolicies.html) `kms:ListKeyPolicies` **
- **Policy type (政策類型):** 金鑰政策
- **跨帳戶使用:** 否
- **資源 (適用於 IAM 政策):** KMS 金鑰
- **AWS KMS 條件索引鍵:** *KMS 金鑰操作的條件:*
[kms:CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms:KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms:KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms:KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms:MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms:MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms:ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
[aws:ResourceTag/*tag-key*](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) (AWS 全域條件金鑰)
[kms:ViaService](conditions-kms.md#conditions-kms-via-service)
- ** [ListKeyRotations](https://docs.aws.amazon.com/kms/latest/APIReference/API_ListKeyRotations.html) `kms:ListKeyRotations` **
- **Policy type (政策類型):** 金鑰政策
- **跨帳戶使用:** 否
- **資源 (適用於 IAM 政策):** KMS 金鑰
- **AWS KMS 條件索引鍵:** *KMS 金鑰操作的條件:*
[kms:CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms:KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms:KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms:KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms:MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms:MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms:ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
[aws:ResourceTag/*tag-key*](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) (AWS 全域條件金鑰)
[kms:ViaService](conditions-kms.md#conditions-kms-via-service)
- ** [ListKeys](https://docs.aws.amazon.com/kms/latest/APIReference/API_ListKeys.html) `kms:ListKeys` **
- **Policy type (政策類型):** IAM 政策
- **跨帳戶使用:** 否
- **資源 (適用於 IAM 政策):** `*`
- **AWS KMS 條件索引鍵:** 無
- ** [ListResourceTags](https://docs.aws.amazon.com/kms/latest/APIReference/API_ListResourceTags.html) `kms:ListResourceTags` **
- **Policy type (政策類型):** 金鑰政策
- **跨帳戶使用:** 否
- **資源 (適用於 IAM 政策):** KMS 金鑰
- **AWS KMS 條件索引鍵:** *KMS 金鑰操作的條件:*
[kms:CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms:KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms:KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms:KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms:MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms:MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms:ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
[aws:ResourceTag/*tag-key*](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) (AWS 全域條件金鑰)
[kms:ViaService](conditions-kms.md#conditions-kms-via-service)
- ** [ListRetirableGrants](https://docs.aws.amazon.com/kms/latest/APIReference/API_ListRetirableGrants.html) `kms:ListRetirableGrants` **
- **Policy type (政策類型):** IAM 政策
- **跨帳戶使用:** 指定的主體必須位於本機帳戶中,但操作會在所有帳戶中傳回授予。
- **資源 (適用於 IAM 政策):** `*`
- **AWS KMS 條件索引鍵:** 無
- ** [PutKeyPolicy](https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html) `kms:PutKeyPolicy` **
- **Policy type (政策類型):** 金鑰政策
- **跨帳戶使用:** 否
- **資源 (適用於 IAM 政策):** KMS 金鑰
- **AWS KMS 條件索引鍵:** *KMS 金鑰操作的條件:*
[kms:CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms:KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms:KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms:KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms:MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms:MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms:ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
[aws:ResourceTag/*tag-key*](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) (AWS 全域條件金鑰)
[kms:ViaService](conditions-kms.md#conditions-kms-via-service)
*其他條件:*
[kms:BypassPolicyLockoutSafetyCheck](conditions-kms.md#conditions-kms-bypass-policy-lockout-safety-check)
- ** [ReEncrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_ReEncrypt.html) `kms:ReEncryptFrom` `kms:ReEncryptTo` 若要使用此操作時,呼叫者需要兩個 KMS 金鑰上的許可: [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/kms/latest/developerguide/kms-api-permissions-reference.html) **
- **Policy type (政策類型):** 金鑰政策
- **跨帳戶使用:** 是
- **資源 (適用於 IAM 政策):** KMS 金鑰
- **AWS KMS 條件索引鍵:** *密碼編譯操作的條件*
[kms:EncryptionAlgorithm](conditions-kms.md#conditions-kms-encryption-algorithm)
[kms:RequestAlias](conditions-kms.md#conditions-kms-request-alias)
*加密內容條件:*
[kms:EncryptionContext:*context-key*](conditions-kms.md#conditions-kms-encryption-context-keys)
[kms:EncryptionContextKeys](conditions-kms.md#conditions-kms-encryption-context-keys)
*KMS 金鑰操作的條件:*
[kms:CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms:KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms:KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms:KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms:MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms:MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms:ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
[aws:ResourceTag/*tag-key*](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) (AWS 全域條件金鑰)
[kms:ViaService](conditions-kms.md#conditions-kms-via-service)
*其他條件:*
[kms:ReEncryptOnSameKey](conditions-kms.md#conditions-kms-reencrypt-on-same-key)
- ** [ReplicateKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_ReplicateKey.html) `kms:ReplicateKey` 若要使用此操作時,呼叫者需要以下許可: [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/kms/latest/developerguide/kms-api-permissions-reference.html) **
- **Policy type (政策類型):** 金鑰政策
- **跨帳戶使用:** 否
- **資源 (適用於 IAM 政策):** KMS 金鑰
- **AWS KMS 條件索引鍵:** *KMS 金鑰操作的條件:*
[kms:CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms:KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms:KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms:KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms:MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms:MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms:ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
[aws:ResourceTag/*tag-key*](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) (AWS 全域條件金鑰)
[kms:ViaService](conditions-kms.md#conditions-kms-via-service)
*其他條件:*
[kms:ReplicaRegion](conditions-kms.md#conditions-kms-replica-region)
- ** [RetireGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_RetireGrant.html) `kms:RetireGrant` 淘汰授予的許可主要取決於授予。單獨的政策無法允許存取此操作。如需詳細資訊,請參閱[淘汰和撤銷授予](grant-delete.md)。 **
- **Policy type (政策類型):** IAM 政策
(此許可在主要政策中無效。)
- **跨帳戶使用:** 是
- **資源 (適用於 IAM 政策):** KMS 金鑰
- **AWS KMS 條件索引鍵:** *加密內容條件:*
[kms:EncryptionContext:*context-key*](conditions-kms.md#conditions-kms-encryption-context-keys)
[kms:EncryptionContextKeys](conditions-kms.md#conditions-kms-encryption-context-keys)
*授予條件:*
[kms:GrantConstraintType](conditions-kms.md#conditions-kms-grant-constraint-type)
*KMS 金鑰操作的條件:*
[kms:CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms:ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
[aws:ResourceTag/*tag-key*](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) (AWS 全域條件金鑰)
[kms:ViaService](conditions-kms.md#conditions-kms-via-service)
- ** [RevokeGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_RevokeGrant.html) `kms:RevokeGrant` **
- **Policy type (政策類型):** 金鑰政策
- **跨帳戶使用:** 是
- **資源 (適用於 IAM 政策):** KMS 金鑰
- **AWS KMS 條件索引鍵:** *KMS 金鑰操作的條件:*
[kms:CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms:KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms:KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms:KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms:MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms:MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms:ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
[aws:ResourceTag/*tag-key*](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) (AWS 全域條件金鑰)
[kms:ViaService](conditions-kms.md#conditions-kms-via-service)
*其他條件:*
[kms:GrantIsForAWSResource](conditions-kms.md#conditions-kms-grant-is-for-aws-resource)
- ** [RotateKeyOnDemand](https://docs.aws.amazon.com/kms/latest/APIReference/API_RotateKeyOnDemand.html) `kms:RotateKeyOnDemand` **
- **Policy type (政策類型):** 金鑰政策
- **跨帳戶使用:** 否
- **資源 (適用於 IAM 政策):** KMS 金鑰
- **AWS KMS 條件索引鍵:** *KMS 金鑰操作的條件:*
[kms:CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms:KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms:KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms:KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms:MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms:MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms:ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
[aws:ResourceTag/*tag-key*](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) (AWS 全域條件金鑰)
[kms:ViaService](conditions-kms.md#conditions-kms-via-service)
- ** [ScheduleKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html) `kms:ScheduleKeyDeletion` **
- **Policy type (政策類型):** 金鑰政策
- **跨帳戶使用:** 否
- **資源 (適用於 IAM 政策):** KMS 金鑰
- **AWS KMS 條件索引鍵:** *KMS 金鑰操作的條件:*
[kms:CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms:KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms:KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms:KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms:MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms:MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms:ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
[aws:ResourceTag/*tag-key*](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) (AWS 全域條件金鑰)
[kms:ViaService](conditions-kms.md#conditions-kms-via-service)
- ** [符號](https://docs.aws.amazon.com/kms/latest/APIReference/API_Sign.html) `kms:Sign` **
- **Policy type (政策類型):** 金鑰政策
- **跨帳戶使用:** 是
- **資源 (適用於 IAM 政策):** KMS 金鑰
- **AWS KMS 條件索引鍵:** *簽署和驗證的條件:*
[kms:MessageType](conditions-kms.md#conditions-kms-message-type)[kms:RequestAlias](conditions-kms.md#conditions-kms-request-alias)
[kms:SigningAlgorithm](conditions-kms.md#conditions-kms-signing-algorithm)
*KMS 金鑰操作的條件:*
[kms:CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms:KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms:KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms:KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms:MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms:MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms:ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
[aws:ResourceTag/*tag-key*](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) (AWS 全域條件金鑰)
[kms:ViaService](conditions-kms.md#conditions-kms-via-service)
- ** [TagResource](https://docs.aws.amazon.com/kms/latest/APIReference/API_TagResource.html) `kms:TagResource` **
- **Policy type (政策類型):** 金鑰政策
- **跨帳戶使用:** 否
- **資源 (適用於 IAM 政策):** KMS 金鑰
- **AWS KMS 條件索引鍵:** *KMS 金鑰操作的條件:*
[kms:CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms:KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms:KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms:KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms:MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms:MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms:ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
[aws:ResourceTag/*tag-key*](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) (AWS 全域條件金鑰)
[kms:ViaService](conditions-kms.md#conditions-kms-via-service)
*標記的條件:*
[aws:RequestTag/*tag-key*](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag) (AWS 全域條件金鑰)
[aws:TagKeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys) (AWS 全域條件金鑰)
- ** [UntagResource](https://docs.aws.amazon.com/kms/latest/APIReference/API_UntagResource.html) `kms:UntagResource` **
- **Policy type (政策類型):** 金鑰政策
- **跨帳戶使用:** 否
- **資源 (適用於 IAM 政策):** KMS 金鑰
- **AWS KMS 條件索引鍵:** *KMS 金鑰操作的條件:*
[kms:CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms:KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms:KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms:KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms:MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms:MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms:ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
[aws:ResourceTag/*tag-key*](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) (AWS 全域條件金鑰)
[kms:ViaService](conditions-kms.md#conditions-kms-via-service)
*標記的條件:*
[aws:RequestTag/*tag-key*](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag) (AWS 全域條件金鑰)
[aws:TagKeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys) (AWS 全域條件金鑰)
- ** [UpdateAlias](https://docs.aws.amazon.com/kms/latest/APIReference/API_UpdateAlias.html) `kms:UpdateAlias` 若要使用此操作時,呼叫者需要三個資源上的 `kms:UpdateAlias` 許可: [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/kms/latest/developerguide/kms-api-permissions-reference.html) 如需詳細資訊,請參閱[控制對別名的存取](alias-access.md)。 **
- **Policy type (政策類型):** IAM 政策 (適用於別名) / **跨帳戶使用:** 否 / **資源 (適用於 IAM 政策):** Alias (別名) / **AWS KMS 條件索引鍵:** 無 (控制對別名的存取時)
- **Policy type (政策類型):** 金鑰政策 (適用於 KMS 金鑰) / **跨帳戶使用:** 否 / **資源 (適用於 IAM 政策):** KMS 金鑰 / **AWS KMS 條件索引鍵:** *KMS 金鑰操作的條件:*
[kms:CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms:KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms:KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms:KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms:MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms:MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms:ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
[aws:ResourceTag/*tag-key*](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) (AWS 全域條件金鑰)
[kms:ViaService](conditions-kms.md#conditions-kms-via-service)
- **[UpdateCustomKeyStore](https://docs.aws.amazon.com/kms/latest/APIReference/API_UpdateCustomKeyStore.html)`kms:UpdateCustomKeyStore`**
- **Policy type (政策類型):** IAM 政策
- **跨帳戶使用:** 否
- **資源 (適用於 IAM 政策):** `*`
- **AWS KMS 條件索引鍵:** [kms:CallerAccount](conditions-kms.md#conditions-kms-caller-account)
- ** [UpdateKeyDescription](https://docs.aws.amazon.com/kms/latest/APIReference/API_UpdateKeyDescription.html) `kms:UpdateKeyDescription` **
- **Policy type (政策類型):** 金鑰政策
- **跨帳戶使用:** 否
- **資源 (適用於 IAM 政策):** KMS 金鑰
- **AWS KMS 條件索引鍵:** *KMS 金鑰操作的條件:*
[kms:CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms:KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms:KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms:KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms:MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms:MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms:ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
[aws:ResourceTag/*tag-key*](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) (AWS 全域條件金鑰)
[kms:ViaService](conditions-kms.md#conditions-kms-via-service)
- ** [UpdatePrimaryRegion](https://docs.aws.amazon.com/kms/latest/APIReference/API_UpdatePrimaryRegion.html) `kms:UpdatePrimaryRegion` 若要使用此操作時,呼叫者需要針對會成為複本金鑰之[多區域主要金鑰](multi-region-keys-overview.md#mrk-primary-key)和會成為主要金鑰之[多區域複本金鑰](multi-region-keys-overview.md#mrk-replica-key)的 `kms:UpdatePrimaryRegion` 許可。 **
- **Policy type (政策類型):** 金鑰政策
- **跨帳戶使用:** 否
- **資源 (適用於 IAM 政策):** KMS 金鑰
- **AWS KMS 條件索引鍵:** *KMS 金鑰操作的條件:*
[kms:CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms:KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms:KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms:KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms:MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms:MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms:ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
[aws:ResourceTag/*tag-key*](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) (AWS 全域條件金鑰)
[kms:ViaService](conditions-kms.md#conditions-kms-via-service)
*其他條件*
[kms:PrimaryRegion](conditions-kms.md#conditions-kms-primary-region)
- ** [確認](https://docs.aws.amazon.com/kms/latest/APIReference/API_Verify.html) `kms:Verify` **
- **Policy type (政策類型):** 金鑰政策
- **跨帳戶使用:** 是
- **資源 (適用於 IAM 政策):** KMS 金鑰
- **AWS KMS 條件索引鍵:** *簽署和驗證的條件:*
[kms:MessageType](conditions-kms.md#conditions-kms-message-type)[kms:RequestAlias](conditions-kms.md#conditions-kms-request-alias)
[kms:SigningAlgorithm](conditions-kms.md#conditions-kms-signing-algorithm)
*KMS 金鑰操作的條件:*
[kms:CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms:KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms:KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms:KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms:MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms:MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms:ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
[aws:ResourceTag/*tag-key*](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) (AWS 全域條件金鑰)
[kms:ViaService](conditions-kms.md#conditions-kms-via-service)
- **[VerifyMac](https://docs.aws.amazon.com/kms/latest/APIReference/API_VerifyMac.html)`kms:VerifyMac`**
- **Policy type (政策類型):** 金鑰政策
- **跨帳戶使用:** 是
- **資源 (適用於 IAM 政策):** KMS 金鑰
- **AWS KMS 條件索引鍵:** *KMS 金鑰操作的條件:*
[kms:CallerAccount](conditions-kms.md#conditions-kms-caller-account)
[kms:KeySpec](conditions-kms.md#conditions-kms-key-spec)
[kms:KeyUsage](conditions-kms.md#conditions-kms-key-usage)
[kms:KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
[kms:MultiRegion](conditions-kms.md#conditions-kms-multiregion)
[kms:MultiRegionKeyType](conditions-kms.md#conditions-kms-multiregion-key-type)
[kms:ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases)
[aws:ResourceTag/*tag-key*](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) (AWS 全域條件金鑰)
[kms:ViaService](conditions-kms.md#conditions-kms-via-service)密碼編譯操作的條件:
[kms:MacAlgorithm](conditions-kms.md#conditions-kms-mac-algorithm)
[kms:RequestAlias](conditions-kms.md#conditions-kms-request-alias)
## 資料欄描述
此資料表中的資料欄提供下列資訊:
+ **動作和許可**會列出每個 AWS KMS API 操作,以及允許操作的許可。您可以在政策陳述式的 `Action` 元素中指定操作。
+ **政策類型**指出許可可用於金鑰政策還是 IAM 政策。
*金鑰政策*表示您可以在金鑰政策中指定許可。當金鑰政策包含[啟用 IAM 政策的政策陳述式](key-policy-default.md#key-policy-default-allow-root-enable-iam)時,您可以在 IAM 政策中指定許可。
*IAM 政策*表示您只能在 IAM 政策中指定許可。
+ **跨帳戶使用**顯示授權使用者可以對不同 AWS 帳戶中資源執行的操作。
值為*是*表示主體可以對不同 AWS 帳戶中的資源執行操作。
值為*否*表示主體僅可對其自己 AWS 帳戶中的資源執行操作。
如果您為不同帳戶中的主體授予無法在跨帳戶資源上使用的許可,則許可無效。例如,如果您為不同帳戶的主體提供您帳戶中 KMS 金鑰的 [kms:TagResource](https://docs.aws.amazon.com/kms/latest/APIReference/API_TagResource.html) 許可,則其在您帳戶中標記 KMS 金鑰的嘗試將會失敗。
+ **資源**列出許可適用的 AWS KMS 資源。 AWS KMS 支援兩種資源類型:KMS 金鑰和別名。在金鑰政策中,`Resource` 元素的值永遠是 `*`,這指的是 KMS 金鑰所連接的金鑰政策。
使用下列值來代表 IAM 政策中的 AWS KMS 資源。
**KMS 金鑰**
當資源為 KMS 金鑰時,請使用其[金鑰 ARN](concepts.md#key-id-key-ARN)。如需協助,請參閱 [尋找金鑰 ID 和金鑰 ARN](find-cmk-id-arn.md)。
`arn:{{AWS_partition_name}}:kms:{{AWS_Region}}:{{AWS_account_ID}}:key/{{key_ID}}`
例如:
arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
**Alias (別名)**
當資源為別名時,請使用其[別名 ARN](concepts.md#key-id-alias-ARN)。如需協助,請參閱 [尋找 KMS 金鑰的別名名稱和別名 ARN](alias-view.md)。
`arn:{{AWS_partition_name}}:kms:{{AWS_region}}:{{AWS_account_ID}}:alias/{{alias_name}}`
例如:
arn:aws:kms:us-west-2:111122223333:alias/ExampleAlias
**`*` (星號)**
當許可不適用於特定資源 (KMS 金鑰或別名) 時,請使用星號 (`*`)。
在 AWS KMS 許可的 IAM 政策中, `Resource`元素中的星號表示所有 AWS KMS 資源 (KMS 金鑰和別名)。當 AWS KMS 許可不適用於任何特定 KMS 金鑰或別名時,您也可以在 `Resource`元素中使用星號。例如,允許或拒絕 `kms:CreateKey`或 `kms:ListKeys`許可時,您必須將 `Resource`元素設定為 `*`。
+ **AWS KMS 條件索引**鍵列出您可以用來控制操作存取 AWS KMS 的條件索引鍵。您可以在政策的 `Condition` 元素中指定條件。如需詳細資訊,請參閱[AWS KMS 條件索引鍵](conditions-kms.md)。此欄也包含 支援的[AWS 全域條件索引鍵](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) AWS KMS,但並非所有 服務都 AWS 支援。