AWS BYOK Service Account Requirements

Use the following permissions to create the AWS service account:

• KMS:FullAccess

• IAM:GetUser

• IAM:ListUsers

• IAM:ListAccessKeys

• IAM:CreateAccessKey

• IAM:DeleteAccessKey

• IAM:UpdateAccessKey

• EC2:DescribeRegions

• SSM:GetParameter

• tag:GetResources

Your JSON file should look like the following:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "ServiceAccountPolicy",
			"Effect": "Allow",
			"Action": [
				"kms:*",
				"ec2:DescribeRegions",
				"ssm:GetParameter",
				"iam:ListUsers",
				"iam:GetUser",
				"iam:CreateAccessKey",
				"iam:UpdateAccessKey",
				"iam:ListAccessKeys",
				"iam:DeleteAccessKey"
			],
			"Resource": "*"
		}
	]
}