{
"Sid": "Allow users or roles to use KMS to EBS.",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account id>:<users or roles>/<users or roles name>"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "arn:aws:kms:<region code>:<account id>:key/<kms key id>"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account id>:<users or roles>/<users or roles name>"
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "arn:aws:kms:<region code>:<account id>:key/<kms key id>",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}