All IAM policy templates
AWS IAM policy template • KMS

KMS Encrypt-Only (Write Path, No Decrypt)

Let a service encrypt data with a key it can never use to decrypt — for one-way write paths like log shipping or backups.

Policy

Replace the placeholder ARNs (YOUR-BUCKET-NAME, ACCOUNT_ID, REGION, etc.) with your real resource identifiers before use.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "EncryptOnly",
      "Effect": "Allow",
      "Action": [
        "kms:Encrypt",
        "kms:GenerateDataKey"
      ],
      "Resource": "arn:aws:kms:REGION:ACCOUNT_ID:key/YOUR-KEY-ID"
    }
  ]
}

Why it's scoped this way

  • kms:Decrypt is deliberately absent — this is the core of the pattern: a role that can encrypt data on the way in but cannot read it back out, useful for ingestion pipelines where the writer should never be able to read what it wrote.
  • kms:GenerateDataKey is included alongside Encrypt because most SDKs use envelope encryption (a data key generated by KMS, used locally) rather than calling kms:Encrypt directly on large payloads — omitting it breaks that path with an unrelated-looking error.
  • No kms:CreateGrant, kms:PutKeyPolicy, or kms:ScheduleKeyDeletion — this role cannot grant itself broader access or destroy the key.

Hardening it further

  • This is an identity-policy statement only — the KMS key's own key policy must also allow this principal, since KMS evaluates both and denies on either refusal.
  • If the role is later given kms:Decrypt for a legitimate reason, treat that as a distinct, reviewable change — the whole value of this pattern is the asymmetry.

Paste your finished policy into the free AI-Powered IAM analyzer to catch anything you loosened while filling it in.

Related templates

Check your finished policy — free

Shieldly's AI-Powered analyzer flags privilege-escalation paths, wildcards, and risky PassRole in seconds. No signup, no AWS credentials. Also ships as CLI, VS Code extension, GitHub Action, and CDK Guard.

Amazon Web Services (AWS) is a trademark of Amazon.com, Inc. Shieldly is not affiliated with, endorsed by, or sponsored by Amazon Web Services.