• aws/dynamodb のキーIDを確認

$ aws kms list-aliases|jq -r '.Aliases[]|select(.AliasName=="alias/aws/dynamodb")'
{
  "AliasArn": "arn:aws:kms:ap-northeast-1:123456780123:alias/aws/dynamodb",
  "AliasName": "alias/aws/dynamodb",
  "TargetKeyId": "9d******-****-****-****-*********ee"
}

• キーIDからキーポリシーを確認

$ aws kms get-key-policy --key-id 9d******-****-****-****-*********ee --policy-name default|perl -pe 's/\\"/"/g;s/\\n/\n/g'
{
    "Policy": "{
  "Version" : "2012-10-17",
  "Id" : "auto-dynamodb-1",
  "Statement" : [ {
    "Sid" : "Allow access through Amazon DynamoDB for all principals in the account that are authorized to use Amazon DynamoDB",
    "Effect" : "Allow",
    "Principal" : {
      "AWS" : "*"
    },
    "Action" : [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:CreateGrant", "kms:DescribeKey" ],
    "Resource" : "*",
    "Condition" : {
      "StringEquals" : {
        "kms:CallerAccount" : "123456780123",
        "kms:ViaService" : "dynamodb.ap-northeast-1.amazonaws.com"
      }
    }
  }, {
    "Sid" : "Allow direct access to key metadata to the account",
    "Effect" : "Allow",
    "Principal" : {
      "AWS" : "arn:aws:iam::123456780123:root"
    },
    "Action" : [ "kms:Describe*", "kms:Get*", "kms:List*", "kms:RevokeGrant" ],
    "Resource" : "*"
  }, {
    "Sid" : "Allow DynamoDB Service with service principal name dynamodb.amazonaws.com to describe the key directly",
    "Effect" : "Allow",
    "Principal" : {
      "Service" : "dynamodb.amazonaws.com"
    },
    "Action" : [ "kms:Describe*", "kms:Get*", "kms:List*" ],
    "Resource" : "*"
  } ]
}"
}