If you've worked with encrypted data, scoped permissions, or cross-account access, you've likely come across KMS keys, IAM users, roles, and policies. Here's a quick breakdown of what they are—and how they work together.
- KMS Key (Key Management Service Key): A managed encryption key used to encrypt or decrypt data in AWS services securely.
- IAM User: An identity with long-term credentials (username/password or access keys) for interacting with AWS services.
- IAM Role: An identity with temporary credentials that can be assumed by trusted entities (like users, services, or other roles) to perform specific tasks.
- IAM Policy: A JSON document that defines permissions (allowed or denied actions) for users, roles, or groups.
How They Relate
When you encrypt data in AWS using KMS, access to the KMS key itself must be controlled. This is where IAM comes in.
- Policies are attached to users or roles to grant them permission to use specific KMS keys.
- A user might upload encrypted files to S3, and their policy defines what keys they can access. Often, you will attach multiple users to a role.
- A role might be assumed by another AWS application or an external data warehouse such as Snowflake, that needs to decrypt data via KMS.
- The KMS key itself can have a resource-based policy to restrict who can use it, adding another layer of security.
