In this recipe, we created a key with default permissions and tried encrypting and decrypting files in the bucket with that key. We were able to successfully encrypt and decrypt. Then, we added an explicit Deny for S3 service using the kms:ViaService condition key and tried decrypting the same file again. This time, we weren't able to decrypt.

As we saw in step 1, the default key policy gives full permission to the owner account's root user and enables the IAM policies that are required to access the CMK. It also allows key administrators to administrate the CMK and key users to use the CMK. Also, we need to specify the region for the S3 service while using it within the ViaService API. I used us-east-1 since my bucket is present in us-east-1. 

In our key policy JSON, we used the following elements:

• Effect: Specifies whether to allow or deny permissions.
• Principal: Specifies who gets the permissions. Allowed values include AWS accounts (root), IAM users, IAM roles, and supported AWS services.
• Action: Specifies the operations (for example, kms:Encrypt) to allow or deny.
• Resource: Specifies the resource to apply the policy. We specified * to denote all the resources.
• Condition: Used to specify any condition for the key policy to take effect. This is an optional element.

We can also specify an optional Sid parameter. Sid stands for statement identifier and can contain a string value that describes our policy.