Can't cleanup obsolete Customer managed keys in Key Management Service

Question

No being able to view details, disable and/or schedule key deletion. Getting:

DescribeKey request failed
AccessDeniedException - User: arn:aws:iam::***:user/root is not authorized to perform: kms:DescribeKey on resource: arn:aws:kms:us-east-1:***:key/005aa284-c9a3-4b75-8eaa-de1ac998786d because no resource-based policy allows the kms:DescribeKey action

DisableKey request failed
AccessDeniedException - User: arn:aws:iam::***:user/root is not authorized to perform: kms:DisableKey on resource: arn:aws:kms:us-east-1:***:key/005aa284-c9a3-4b75-8eaa-de1ac998786d because no resource-based policy allows the kms:DisableKey action

AWS Support under "Account and billing" saying: This issue is beyond our scope on the Billing and Accounts team ... For additional technical help, you can engage our support engineers by posting to AWS re:Post ... You can also contact Premium (!?) Support.

Appreciate your advice.

Answer

Hi, Artem

Please check this AWS document https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html for KMS resource-based policy.

If this helps solve your problem, please choose this as the Accepted Answer so others on re:Post may benefit - Thank you!

Can't cleanup obsolete Customer managed keys in Key Management Service

関連するコンテンツ