- Più recenti
- Maggior numero di voti
- Maggior numero di commenti
Hi there! I would recommend to contact AWS Support. From KMS documentation:
...suppose you create a key policy that gives only one user access to the KMS key. If you then delete that user, the key becomes unmanageable and you must contact AWS Support to regain access to the KMS key.
Hi!
It sounds like the key policy is locking you out and you will have to contact AWS Support. A AWS KMS key policy does not automatically give permission to the account or any of its users, unlike other resource policies (S3 Bucket Policy). Thus, AdministratorAccess on an IAM Entity without a proper KMS Key policy won't work.
For KMS Keys, the Key Policy must allow access to administer the KMS Key. If you are unable to edit the policy, then you will need AWS Support to help you with cleaning up the Key.
https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
Check out this AWS Guide on the "Default Key Policy" and how to reduce the risk of a key becoming unmanageable (which is what you have pointed out above): https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html
If access to the specific key is completely inaccessible AWS does have a method to recover access if you submit a support ticket. They do make extra steps to make sure this method is not used to circumvent security.
Each case may be different but general steps are as follows; however, you will get specific detailed instructions in the ticket.
- Create an IAM user which a specific name including the KMS Key ID to be recovered and has the IAM policy provided in the ticket
- The ticket will provide you with a one time code which AWS will contact by phone at the number on the account owning the key
- AWS internal team will verify key is inaccessible and if confirmed will recover access to the provided IAM user
After AWS has recovered the key you can then use the IAM user to either make necessary changes to the key.
Contenuto pertinente
- AWS UFFICIALEAggiornata un anno fa
- Come posso risolvere gli errori 400 con accesso negato per il testo criptato di AWS KMS in AWS Glue?AWS UFFICIALEAggiornata un anno fa
- AWS UFFICIALEAggiornata 3 anni fa
Thanks, that's what I expected. I guess we'll have to add paid support to that account.