Using kms:GetKeyRotationStatus on AWS managed key(ex aws/acm), AWS doesn't grant access to this API call to anyone, including the account owner. Is that correct?

Question

I'm testing Java AP with KMS API.
When I do kms:GetKeyRotationStatus on AWS managed key "aws/acm", It will fail no matter what permissions are set.

AccessDeniedException is displayed.

So, Although the documentation doesn't explain it, using kms:GetKeyRotationStatus on AWS managed key(ex aws/acm), AWS doesn't grant access to this API call to anyone, including the account owner. Is that correct?

Answer

Hi, I was able to get the KeyRotationStatus on a aws-managed kms key.

Make sure that the user/role used by the JAVA AP is in the same region as the KMS managed key, and that it really has enough permissions. You should then be able to run the following:

```
$aws kms list-keys                                                                                                                                                                                                       
{
    "Keys": [
        {
            "KeyId": "e1xxxxx-e6xx-45xx-xxxx-xxxxxxxxxxxxx",
            "KeyArn": "arn:aws:kms:us-west-2:000000000000:key/e1xxxxx-e6xx-45xx-xxxx-xxxxxxxxxxxxx"
        }
    ]
}
```
followed by

```
$ aws kms get-key-rotation-status --key-id e1xxxxx-e6xx-45xx-xxxx-xxxxxxxxxxxxx                                                                                                                                           
{
    "KeyRotationEnabled": true
}
```

That key id belongs to an aws-managed KMS key (aws/sns)

Hope this helps.

Using kms:GetKeyRotationStatus on AWS managed key(ex aws/acm), AWS doesn't grant access to this API call to anyone, including the account owner. Is that correct?

Contenido relevante