Which policies I need to apply to delete a key?

0

I have an IAM user (root user) which has the following custom policies set applied via IAM group:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:CancelKeyDeletion",
"kms:CreateAlias",
"kms:CreateKey",
"kms:DeleteAlias",
"kms:Describe*",
"kms:DisableKey",
"kms:EnableKey",
"kms:GenerateRandom",
"kms:Get*",
"kms:List*",
"kms:ScheduleKeyDeletion",
"kms:TagResource",
"kms:UntagResource",
"iam:ListGroups",
"iam:ListRoles",
"iam:ListUsers"
],
"Resource": "*"
}
]
}

Yet when I try to delete ("Schedule key deletion") an unused Lightsail key, I get the below error message:

AccessDeniedException -
User: arn:aws:iam::userid:root
is not authorized to perform:
kms:ScheduleKeyDeletion
on resource:
arn:aws:kms:us-east-1:id:key/key-uuid

Which access rights are missing from the above policies set, to delete the mentioned key?

I tried relogging after having applied the mentioned IAM group, for no avail.

Edited by: Konstantin Boyandin on Jan 3, 2019 6:08 AM

posta 5 anni fa275 visualizzazioni
5 Risposte
0
Risposta accettata

Hi Konstantin,

No, you don't pay for it. This is one of the keys that is indeed an AWS managed CMK but is showing up in your Customer managed keys console.

Regards,

Raj

AWS
con risposta 5 anni fa
0

Hello Konstantin,

I am assuming that you are referring to an AWS managed CMK for Lightsail. You can confirm this by looking at its alias and see if it is of the format aws/lightsail. If that is the case, you cannot delete it. You can only view AWS managed keys but won't be able to manage them.

Thanks,

Raj

AWS
con risposta 5 anni fa
0

No, it's from "Customer managed keys" and looks like

arn:aws:kms:us-east-1:012345678901:key/84aecee5-1122-2233-a1aa-e3cde666eb8a
(all numerical parts redacted)

The comment to it: "Default master key that protects my Lightsail signing keys when no other key is defined". That's strange, since I do not have Lightsail resources.

Question is, do I pay for it?

The explanations at KMS page are not too clear on that.

con risposta 5 anni fa
0

Hello Raj,

Thanks for the response. This is weird. The key should be marked properly, I wasted both my time and time of those answering me here just because the key is misplaced and mislabeled.

Sincerely,
Konstantin

con risposta 5 anni fa
0

Hello Konstantin,

Agreed. We are now aware of the issue and will fix it asap.

Thanks,

Raj

AWS
con risposta 5 anni fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande