kms:Sign is a Write access-level action in the kms service. Controls permission to produce a digital signature for a message
ARNs that kms:Sign can be scoped to in an IAM policy.
Keys you can use in the Condition block of a policy that grants kms:Sign.
Filters access to an API operation based on the Origin property of the AWS KMS key created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a KMS key
Filters access to an API operation based on the KeySpec property of the AWS KMS key that is created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a KMS key resource
Filters access to an API operation based on the KeyUsage property of the AWS KMS key created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a KMS key resource
Filters access to an API operation based on the MultiRegion property of the AWS KMS key created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a KMS key resource
Filters access to an API operation based on the MultiRegionKeyType property of the AWS KMS key created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a KMS key resource
Filters access to the specified AWS KMS operations based on tags assigned to the AWS KMS key
Filters access to specified AWS KMS operations based on aliases associated with the AWS KMS key
A minimal policy that allows kms:Sign. Replace "Resource": "*" with a specific ARN to follow least privilege.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowKmsSign",
"Effect": "Allow",
"Action": "kms:Sign",
"Resource": "*"
}
]
}