Each key managed by the AWS Key Management Service (KMS) must have a resource policy that describes what AWS security principals can use and manage the key. If you create a policy that does not include management privileges for any principal or if principals named in the policy are themselves deleted, you may find yourself unable to manage a KMS key. Fortunately AWS provides a way to regain control of the key in such a situation. Note that even the root user for the AWS account cannot manage KSM keys unless specifically allowed in the key policy! |
As of , we could not find AWS documentation that discusses how to recover management access to a key, thus we created this short article.
To avoid being locked out of a KMS key from an accidentally deleted IAM principal, using a Condition in the Key Policy is recommended.
{ "Sid": "Allow administration", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": "kms:*", "Resource": "*", "Condition": { "StringLike": { "aws:PrincipalArn": [ "arn:aws:iam::${SOME_ACCOUNT_ID}:role/shib-admin", "arn:aws:iam::${SOME_ACCOUNT_ID}:root" ] } } } |