The key policy to attach to the CMK.

If you specify a policy and do not set BypassPolicyLockoutSafetyCheck to true, the policy must meet the following criteria:

It must allow the principal making the CreateKey request to make a subsequent

PutKeyPolicy request on the CMK. This reduces the likelihood that the CMK becomes unmanageable. For more information, refer to the scenario in the Default Key Policy ( section in the AWS Key Management Service Developer Guide.

The principal(s) specified in the key policy must exist and be visible

to AWS KMS. When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before specifying the new principal in a key policy because the new principal might not immediately be visible to AWS KMS. For more information, see Changes that I make are not always immediately visible ( in the IAM User Guide.

If you do not specify a policy, AWS KMS attaches a default key policy

to the CMK. For more information, see Default Key Policy ( in the AWS Key Management Service Developer Guide.

The policy size limit is 32 KiB (32768 bytes).

Policy is referenced in 1 repository