{
"Sid": "Allow users or roles to use KMS to ElastiCache.",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account id>:<users or roles>/<users or roles name>"
},
"Action": [
"kms:CreateGrant",
"kms:DescribeKey"
],
"Resource": "arn:aws:kms:<region code>:<account id>:key/<kms key id>",
"Condition": {
"StringEquals": {
"kms:ViaService": [
"elasticache.<region code>.amazonaws.com",
"dax.<region code>.amazonaws.com"
]
}
}
}