{"id":"backup-kms-three-minimum-permissions","text":"The three minimum KMS key policy permissions required for AWS Backup operations are `kms:CreateGrant`, `kms:GenerateDataKey`, and `kms:Decrypt`.","truth_value":"IN","source":"entries/2026/03/12/aws-backup-latest-devguide-encryptionhtml.md","source_url":"","source_hash":"993244b621161c16","justifications":[],"dependents":[],"metadata":{},"explanation":{"steps":[{"node":"backup-kms-three-minimum-permissions","truth_value":"IN","reason":"premise"}]}}