AWS BYOK Access Policy

KeyControl uses the AWS Key Policy to control IAM users' access to BYOK keys. The default key policy template used by KeyControl defines the following roles: 

• An administrator with full administrative rights to the key

• A user that can use the key for encryption or decryption.

KeyControl admins can assign IAM users as administrator and/or user to a specific CloudKey. The default key policy template used by KeyControl is the same as the default policy template that is used by the AWS KMS console.

Note: If you make changes to the key policy of a CloudKey in the KMS, you will not be able to update or view its access information in KeyControl.