AWS Key Management Service > Key Policy & best practices > Key Policies and VPC Private Endpoints

Key Policies and VPC Private Endpoints

CResources can communicate with AWS KMS through a VPC private endpoint. A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.

Suppose we have an actived AWS KMS VPC endpoint, to connect to AWS KMS VPC endpoint we excute the below command

aws kms list-keys --endpoint-url <the KMS VPC Endpoint url>

change the key policy of a CMK to allow only certain operations from the VPC endpoint.

Do the same as section Access only from the account but change Key policy of the CMK by the below text

{
  "Version": "2012-10-17",
  "Id": "key-default-1",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<your acount id>:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Allow for Use only within our VPC",
      "Effect": "Deny",
      "Principal": {
        "AWS": "arn:aws:iam::<your acount id>:role/KMSWorkshop-InstanceInitRole"
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*"
      ],
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "aws:sourceVpce": "<the id of the KMS VPC Endpoint>"
        }
      }
    }
  ]
}