What it is: A resource-based policy attached to a KMS key that controls who can use/administer the key.

What it’s for:

• Define which principals can encrypt/decrypt with the key.
• Define who can manage the key (admin actions).

Key ideas:

• Key policy is required for KMS authorization.
• IAM policy alone may not be enough if the key policy doesn’t allow it.
• Key policy can enable cross-account access to the key.

Exam cues:

• “AccessDenied on decrypt even though role has kms:Decrypt” → key policy likely missing permissions.
• “allow another account to use this key” → update key policy.

Hard words:

• *administer* /ədˈmɪnɪstər/: quản trị
• *required* /rɪˈkwaɪərd/: bắt buộc
• *authorization* /ˌɔːθərəˈzeɪʃn/: cấp quyền