| kms:CancelKeyDeletion | Admin |
| kms:ConnectCustomKeyStore | Admin |
| kms:CreateAlias | Admin |
| kms:CreateCustomKeyStore | Admin |
| kms:CreateGrant | Admin |
| kms:CreateKey | Admin |
| kms:DeleteAlias | Admin |
| kms:DeleteCustomKeyStore | Admin |
| kms:DeleteImportedKeyMaterial | Admin |
| kms:DisableKey | Admin |
| kms:DisableKeyRotation | Admin |
| kms:DisconnectCustomKeyStore | Admin |
| kms:EnableKey | Admin |
| kms:EnableKeyRotation | Admin |
| kms:ImportKeyMaterial | Admin |
| kms:PutKeyPolicy | Admin |
| kms:RetireGrant | Admin |
| kms:RevokeGrant | Admin |
| kms:ScheduleKeyDeletion | Admin |
| kms:UpdateAlias | Admin |
| kms:UpdateCustomKeyStore | Admin |
| kms:UpdateKeyDescription | Admin |
| kms:UpdatePrimaryRegion | Admin |
| kms:Decrypt | Operator |
| kms:Encrypt | Operator |
| kms:GenerateDataKey | Operator |
| kms:GenerateDataKeyPair | Operator |
| kms:GenerateDataKeyPairWithoutPlaintext | Operator |
| kms:GenerateDataKeyWithoutPlaintext | Operator |
| kms:GenerateRandom | Operator |
| kms:ReEncrypt | Operator |
| kms:ReEncryptFrom | Operator |
| kms:ReEncryptTo | Operator |
| kms:ReplicateKey | Operator |
| kms:Sign | Operator |
| kms:SynchronizeMultiRegionKey | Operator |
| kms:TagResource | Operator |
| kms:UntagResource | Operator |
| kms:Verify | Operator |
| kms:DescribeCustomKeyStores | Metadata |
| kms:DescribeKey | Metadata |
| kms:GetKeyPolicy | Metadata |
| kms:GetKeyRotationStatus | Metadata |
| kms:GetParametersForImport | Metadata |
| kms:GetPublicKey | Metadata |
| kms:ListAliases | Metadata |
| kms:ListGrants | Metadata |
| kms:ListKeyPolicies | Metadata |
| kms:ListKeys | Metadata |
| kms:ListResourceTags | Metadata |
| kms:ListRetirableGrants | Metadata |
