kms:DescribeKey
Literal appearances in AWS managed IAM policies. Statements that use wildcards (for example s3:*) are not counted here. This is not an IAM authorization simulation.
Policies (any)
115
Allow (Action)
115
Deny (Action)
0
NotAction
3
Index generated 4/7/2026, 3:29:24 AM. 559 policies include at least one wildcard action string (any service).
Action reference
SAR-style (unofficial)Service: AWS Key Management Service
Access level
ReadDescription
Controls permission to view detailed information about an AWS KMS key
Resource types
- key*
Allow (Action)
- AIDevOpsAgentAccessPolicy
- AIOpsAssistantPolicy
- AWSApplicationMigrationFullAccess
- AWSAuditManagerAdministratorAccess
- AWSAuditManagerServiceRolePolicy
- AWSBackupAdminPolicy
- AWSBackupFullAccess
- AWSBackupGuardDutyRolePolicyForScans
- AWSBackupOperatorPolicy
- AWSBackupServiceLinkedRolePolicyForBackup
- AWSBackupServiceRolePolicyForBackup
- AWSBackupServiceRolePolicyForIndexing
- AWSBackupServiceRolePolicyForItemRestores
- AWSBackupServiceRolePolicyForRestores
- AWSBackupServiceRolePolicyForS3Backup
- AWSBackupServiceRolePolicyForS3Restore
- AWSConfigRole
- AWSConfigServiceRolePolicy
- AWSDataExchangeFullAccess
- AWSDataExchangeProviderFullAccess
- AWSDataExchangeSubscriberFullAccess
- AWSDataSyncFullAccess
- AWSElasticDisasterRecoveryConsoleFullAccess
- AWSElasticDisasterRecoveryConsoleFullAccess_v2
- AWSEntityResolutionConsoleFullAccess
- AWSGlueConsoleFullAccess
- AWSGlueConsoleSageMakerNotebookFullAccess
- AWSLambda_FullAccess
- AWSProtonFullAccess
- AWSRefactoringToolkitFullAccess
- AWSResourceExplorerServiceRolePolicy
- AWSSSOMasterAccountAdministrator
- AWSSSOMemberAccountAdministrator
- AWSSSOReadOnly
- AWSServiceRoleForImageBuilder
- AWSSupplyChainFederationAdminAccess
- AWSTransformApplicationDeploymentPolicy
- AWSTransformSecretsManagerConnectorPolicy
- AWS_ConfigRole
- AWS_Config_Role
- AccessAnalyzerServiceRolePolicy
- AlexaForBusinessFullAccess
- AlexaForBusinessLifesizeDelegatedAccessPolicy
- AmazonAppFlowFullAccess
- AmazonAuroraDSQLConsoleFullAccess
- AmazonAuroraDSQLFullAccess
- AmazonBedrockFullAccess
- AmazonBedrockLimitedAccess
- AmazonConnectFullAccess
- AmazonConnect_FullAccess
- AmazonDataZoneEnvironmentRolePermissionsBoundary
- AmazonDataZoneFullAccess
- AmazonDataZonePreviewConsoleFullAccess
- AmazonDataZoneProjectDeploymentPermissionsBoundary
- AmazonDataZoneSageMakerEnvironmentRolePermissionsBoundary
- AmazonDataZoneSageMakerManageAccessRolePolicy
- AmazonDataZoneSageMakerProvisioningRolePolicy
- AmazonDocDBConsoleFullAccess
- AmazonDocDBElasticFullAccess
- AmazonDynamoDBFullAccess
- AmazonDynamoDBFullAccess_v2
- AmazonDynamoDBReadOnlyAccess
- AmazonEKSClusterPolicy
- AmazonEVSServiceRolePolicy
- AmazonElastiCacheFullAccess
- AmazonElasticFileSystemFullAccess
- AmazonElasticFileSystemServiceRolePolicy
- AmazonFSxConsoleReadOnlyAccess
- AmazonGuardDutyMalwareProtectionServiceRolePolicy
- AmazonInspector2AgentlessServiceRolePolicy
- AmazonKendraFullAccess
- AmazonKeyspacesFullAccess
- AmazonKeyspacesReadOnlyAccess
- AmazonKeyspacesReadOnlyAccess_v2
- AmazonLexFullAccess
- AmazonLookoutEquipmentFullAccess
- AmazonMSKFullAccess
- AmazonMSKReadOnlyAccess
- AmazonManagedBlockchainConsoleFullAccess
- AmazonMonitronFullAccess
- AmazonRedshiftQueryEditorV2FullAccess
- AmazonS3TablesLakeFormationServiceRole
- AmazonSageMakerCanvasDataPrepFullAccess
- AmazonSageMakerCanvasFullAccess
- AmazonSageMakerFullAccess
- AmazonSageMakerModelRegistryFullAccess
- AmazonSageMakerSpacesControllerPolicy
- AmazonSageMakerSpacesRouterPolicy
- AmazonSecurityLakeAdministrator
- AmazonTimestreamConsoleFullAccess
- AmazonTimestreamFullAccess
- AmazonWorkMailFullAccess
- AmazonWorkSpacesAdmin
- AwsGlueDataBrewFullAccessPolicy
- BedrockAgentCoreFullAccess
- CloudWatchLogsAPIKeyAccess
- CloudWatchSyntheticsFullAccess
- DBModDiscoveryAndAssessment
- ROSAInstallerPolicy
- ROSAKMSProviderPolicy
- ROSAKubeControllerPolicy
- ROSANodePoolManagementPolicy
- SageMakerStudioAdminIAMConsolePolicy
- SageMakerStudioAdminIAMDefaultExecutionPolicy
- SageMakerStudioAdminIAMPermissiveExecutionPolicy
- SageMakerStudioBedrockEvaluationJobServiceRolePolicy
- SageMakerStudioBedrockKnowledgeBaseServiceRolePolicy
- SageMakerStudioEMRServiceRolePolicy
- SageMakerStudioFullAccess
- SageMakerStudioProjectProvisioningRolePolicy
- SageMakerStudioProjectUserRolePermissionsBoundary
- SageMakerStudioProjectUserRolePolicy
- SageMakerStudioUserIAMDefaultExecutionPolicy
- SageMakerStudioUserIAMPermissiveExecutionPolicy
- SecretsManagerReadWrite
Deny (Action)
None
Thanks to Ian McKay for iam-dataset (MIT), structured data derived from the AWS Service Authorization Reference. Not maintained by AWS and not guaranteed current. IAMTrail's managed policy archive is separate.
Definitions bundle generated 4/7/2026, 3:29:24 AM