$ aws kms list-aliases|jq -r '.Aliases[]|select(.AliasName=="alias/aws/dynamodb")'
{
"AliasArn": "arn:aws:kms:ap-northeast-1:123456780123:alias/aws/dynamodb",
"AliasName": "alias/aws/dynamodb",
"TargetKeyId": "9d******-****-****-****-*********ee"
}
$ aws kms get-key-policy --key-id 9d******-****-****-****-*********ee --policy-name default|perl -pe 's/\\"/"/g;s/\\n/\n/g'
{
"Policy": "{
"Version" : "2012-10-17",
"Id" : "auto-dynamodb-1",
"Statement" : [ {
"Sid" : "Allow access through Amazon DynamoDB for all principals in the account that are authorized to use Amazon DynamoDB",
"Effect" : "Allow",
"Principal" : {
"AWS" : "*"
},
"Action" : [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:CreateGrant", "kms:DescribeKey" ],
"Resource" : "*",
"Condition" : {
"StringEquals" : {
"kms:CallerAccount" : "123456780123",
"kms:ViaService" : "dynamodb.ap-northeast-1.amazonaws.com"
}
}
}, {
"Sid" : "Allow direct access to key metadata to the account",
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam::123456780123:root"
},
"Action" : [ "kms:Describe*", "kms:Get*", "kms:List*", "kms:RevokeGrant" ],
"Resource" : "*"
}, {
"Sid" : "Allow DynamoDB Service with service principal name dynamodb.amazonaws.com to describe the key directly",
"Effect" : "Allow",
"Principal" : {
"Service" : "dynamodb.amazonaws.com"
},
"Action" : [ "kms:Describe*", "kms:Get*", "kms:List*" ],
"Resource" : "*"
} ]
}"
}