Great question—let’s unpack how AWS KMS handles ciphertext blob decryption and permissions step by step:

1. Does the ciphertext blob include the KMS key information? #

Yes, absolutely! When you call the Encrypt API, AWS KMS automatically embeds metadata about the CMK used (like its ID or ARN) into the generated ciphertext blob. This is why you don’t need to specify the key ID in the DecryptRequest—KMS extracts the key identifier directly from the blob itself.

This also means you can’t decrypt a blob with a different CMK than the one used to encrypt it (unless you’re using multi-key encryption, which is an advanced use case).

2. How to grant permissions to decrypt the ciphertext blob? #

Decryption permissions are controlled through two layers: the KMS key’s policy and IAM policies. Here’s how to set them up:

• Key Policy (critical): Edit your CMK’s key policy to add a statement that allows the intended identity (user, role, or service principal) to perform the kms:Decrypt action. Example key policy snippet:

  {
    "Sid": "AllowDecryptionForSpecificUser",
    "Effect": "Allow",
    "Principal": {
      "AWS": "arn:aws:iam::111122223333:user/your-decryption-user"
    },
    "Action": "kms:Decrypt",
    "Resource": "*"
  }
  

• IAM Policy: Ensure the identity also has an IAM policy that grants kms:Decrypt permissions for the target CMK. While the key policy is the primary control, the IAM policy acts as an additional allow (both need to allow the action for it to work).

3. Do I need an IAM role for AWS services to decrypt values? #

Yes, if you want an AWS service (like Lambda, S3, or EC2) to decrypt the ciphertext blob, you’ll need to:

• Create an IAM role with a trust policy that allows the AWS service to assume the role. For example, for Lambda, the trust policy would allow lambda.amazonaws.com to assume the role.
• Attach an IAM policy to the role that grants kms:Decrypt access to the target CMK.
• Update the CMK’s key policy to explicitly allow the role’s ARN to perform kms:Decrypt.

Some AWS services (like S3 with server-side encryption using KMS) have built-in integration, but you still need to ensure the service’s execution role (or service principal) is permitted in the key policy to decrypt.

内容的提问来源于stack exchange，提问作者Fergal Rooney