diff --git a/x-pack/plugins/security/public/management/api_keys/api_keys_grid/__snapshots__/api_keys_grid_page.test.tsx.snap b/x-pack/plugins/security/public/management/api_keys/api_keys_grid/__snapshots__/api_keys_grid_page.test.tsx.snap
index ceb0fe751c2c7..6d1e0054078bd 100644
--- a/x-pack/plugins/security/public/management/api_keys/api_keys_grid/__snapshots__/api_keys_grid_page.test.tsx.snap
+++ b/x-pack/plugins/security/public/management/api_keys/api_keys_grid/__snapshots__/api_keys_grid_page.test.tsx.snap
@@ -135,7 +135,9 @@ exports[`APIKeysGridPage renders permission denied if user does not have require
               }
               iconType="securityApp"
               title={
-                <h2>
+                <h2
+                  data-test-subj="apiKeysPermissionDeniedMessage"
+                >
                   <FormattedMessage
                     defaultMessage="You need permission to manage API keys"
                     id="xpack.security.management.apiKeys.deniedPermissionTitle"
@@ -174,6 +176,7 @@ exports[`APIKeysGridPage renders permission denied if user does not have require
                     <EuiTitle>
                       <h2
                         className="euiTitle euiTitle--medium"
+                        data-test-subj="apiKeysPermissionDeniedMessage"
                       >
                         <FormattedMessage
                           defaultMessage="You need permission to manage API keys"
diff --git a/x-pack/plugins/security/public/management/api_keys/api_keys_grid/permission_denied/permission_denied.tsx b/x-pack/plugins/security/public/management/api_keys/api_keys_grid/permission_denied/permission_denied.tsx
index d406b1684b3ff..1d9337ecab27f 100644
--- a/x-pack/plugins/security/public/management/api_keys/api_keys_grid/permission_denied/permission_denied.tsx
+++ b/x-pack/plugins/security/public/management/api_keys/api_keys_grid/permission_denied/permission_denied.tsx
@@ -13,7 +13,7 @@ export const PermissionDenied = () => (
       <EuiEmptyPrompt
         iconType="securityApp"
         title={
-          <h2>
+          <h2 data-test-subj="apiKeysPermissionDeniedMessage">
             <FormattedMessage
               id="xpack.security.management.apiKeys.deniedPermissionTitle"
               defaultMessage="You need permission to manage API keys"
diff --git a/x-pack/test/functional/apps/api_keys/home_page.ts b/x-pack/test/functional/apps/api_keys/home_page.ts
index 01548bc5a402d..1c83a17e78ca7 100644
--- a/x-pack/test/functional/apps/api_keys/home_page.ts
+++ b/x-pack/test/functional/apps/api_keys/home_page.ts
@@ -10,18 +10,31 @@ import { FtrProviderContext } from '../../ftr_provider_context';
 export default ({ getPageObjects, getService }: FtrProviderContext) => {
   const pageObjects = getPageObjects(['common', 'apiKeys']);
   const log = getService('log');
+  const security = getService('security');
 
   describe('Home page', function() {
     this.tags('smoke');
     before(async () => {
+      await security.testUser.setRoles(['kibana_admin']);
       await pageObjects.common.navigateToApp('apiKeys');
     });
 
+    after(async () => {
+      await security.testUser.restoreDefaults();
+    });
+
+    // https://www.elastic.co/guide/en/kibana/7.6/api-keys.html#api-keys-security-privileges
+    it('Shows required privileges ', async () => {
+      log.debug('Checking for required privileges method section header');
+      const message = await pageObjects.apiKeys.apiKeysPermissionDeniedMessage();
+      expect(message).to.be('You need permission to manage API keys');
+    });
+
     it('Loads the app', async () => {
+      await security.testUser.setRoles(['test_api_keys']);
       log.debug('Checking for section header');
-      const headerText = await (await pageObjects.apiKeys.noAPIKeysHeading()).getVisibleText();
+      const headerText = await pageObjects.apiKeys.noAPIKeysHeading();
       expect(headerText).to.be('No API keys');
-
       const goToConsoleButton = await pageObjects.apiKeys.getGoToConsoleButton();
       expect(await goToConsoleButton.isDisplayed()).to.be(true);
     });
diff --git a/x-pack/test/functional/config.js b/x-pack/test/functional/config.js
index 1586908d8b5ef..cff555feace18 100644
--- a/x-pack/test/functional/config.js
+++ b/x-pack/test/functional/config.js
@@ -233,6 +233,21 @@ export default async function({ readConfigFile }) {
           },
           kibana: [],
         },
+
+        //Kibana feature privilege isn't specific to advancedSetting. It can be anything. https://github.com/elastic/kibana/issues/35965
+        test_api_keys: {
+          elasticsearch: {
+            cluster: ['manage_security', 'manage_api_key'],
+          },
+          kibana: [
+            {
+              feature: {
+                advancedSettings: ['read'],
+              },
+              spaces: ['default'],
+            },
+          ],
+        },
       },
       defaultRoles: ['superuser'],
     },
diff --git a/x-pack/test/functional/page_objects/api_keys_page.ts b/x-pack/test/functional/page_objects/api_keys_page.ts
index 1ff70a0c1ee02..17f4df74921bc 100644
--- a/x-pack/test/functional/page_objects/api_keys_page.ts
+++ b/x-pack/test/functional/page_objects/api_keys_page.ts
@@ -11,10 +11,15 @@ export function ApiKeysPageProvider({ getService }: FtrProviderContext) {
 
   return {
     async noAPIKeysHeading() {
-      return await testSubjects.find('noApiKeysHeader');
+      return await testSubjects.getVisibleText('noApiKeysHeader');
     },
+
     async getGoToConsoleButton() {
       return await testSubjects.find('goToConsoleButton');
     },
+
+    async apiKeysPermissionDeniedMessage() {
+      return await testSubjects.getVisibleText('apiKeysPermissionDeniedMessage');
+    },
   };
 }