====== KMS Key Policy ======

**What it is:** A resource-based policy attached to a KMS key that controls who can use/administer the key.

**What it’s for:**
  * Define which principals can encrypt/decrypt with the key.
  * Define who can manage the key (admin actions).

**Key ideas:**
  * Key policy is **required** for KMS authorization.
  * IAM policy alone may not be enough if the key policy doesn’t allow it.
  * Key policy can enable cross-account access to the key.

**Exam cues:**
  * “AccessDenied on decrypt even though role has kms:Decrypt” → key policy likely missing permissions.
  * “allow another account to use this key” → update key policy.

**Hard words:**
  * *administer* /ədˈmɪnɪstər/: quản trị
  * *required* /rɪˈkwaɪərd/: bắt buộc
  * *authorization* /ˌɔːθərəˈzeɪʃn/: cấp quyền