Question
A CMK is an encryption key. In Amazon Web Services, for CMKs (Customer Master Keys) in KMS (Key Management Service), what is the difference between administrative permissions and key usage permissions?
Answer
Usage permissions enable (either IAM users or roles) to encrypt and decrypt data with the AWS KMS API.
Administrative permissions for a CMK allows either an IAM user or role to give usage permissions to other IAM users or roles through the API (and sometimes the web console).