Global outage event

If you’re experiencing issues with your AWS services, then please refer to the AWS Health Dashboard. You can find the overall status of ongoing outages, the health of AWS services, and the latest updates from AWS engineers.

How do I resolve the AWS KMS key policy error?

2 minute read

I want to resolve my AWS Key Management Service (AWS KMS) key policy error.

Short description

If you didn't correctly modify your AWS KMS key policy, then the PutKeyPolicy AWS KMS API operation fails. Then, you might get one of the following error messages:

"PutKeyPolicy request failed MalformedPolicyDocumentException - Policy contains a statement with one or more invalid principals."

"Policy contains a statement with one or more invalid principals"

To resolve this issue, complete one or more of the following resolution actions.

Resolution

Use valid JSON syntax

Confirm that you use a valid JSON policy document resource type. To troubleshoot JSON syntax errors, paste the JSON policy document into a JSON formatting tool. Remove unnecessary characters, and then include missed characters. Make sure that you remove any duplicate JSON policy elements and Security Identifying (SID) values.

Specify principal elements

In the principal element in the JSON policy, confirm that you created a AWS Identity and Access Management (IAM) identity and a valid Amazon Resource Name (ARN).

The key policy is in effect only in the AWS Region that contains the AWS KMS key. If the AWS KMS key policy has permissions to another AWS account or principal, then the key policy might not be in effect. Make sure that your key policy contains the AWS KMS key in the correct Region.

You must specify the principal element as the IAM identity. If you specified an AWS service as the principal, then make sure that AWS KMS supports the service. For the AWS services that support the condition key and make the requests with a forward access session, use the kms:ViaService AWS KMS condition key.

AWS services that make direct calls to AWS KMS must have the service principal in the Principal element. Check that the AWS service that you use directly calls AWS KMS.

Opt-in to the Region

The account that you share the AWS KMS keys with, must opt-in to the Region in the recipient account. Make sure that you activate the Region in the recipient account. You can also share another AWS KMS key in a Region that you activated in the AWS account and recipient account.

Topics: Security, Identity, & Compliance
Tags: AWS Key Management Service
Language: English

Relevant content

Invalid Principal error when trying to create a cross account policy for a KMS Key
Accepted Answer
Scott Baldwin
asked 2 days ago
Cannot EDIT or Delete KMS Key Policy or KMS Keys
Accepted Answer
rootAdmin GV
asked 20 days ago
How to update an existing KMS key policy using Terraform?
Sonic
asked a year ago
Cross-Account KMS Key Alias ARN - Invalid Key provided by the user Error
Peter Eskandar
asked 3 years ago
KMS key policy principal not detected
Jess
asked 4 years ago
How do I resolve the error I receive when I use AWS CloudFormation to create an AWS KMS key?
AWS OFFICIALUpdated 2 months ago
How do I resolve AWS KMS key access errors after I tried to retrieve an encrypted Secrets Manager secret?
AWS OFFICIALUpdated a year ago
How can I prevent IAM policies from allowing a user or role to access a KMS key in AWS KMS?
AWS OFFICIALUpdated 3 years ago
Why can't I read or update an AWS KMS key policy in AWS KMS?
AWS OFFICIALUpdated 2 years ago
How do I configure Customer Managed KMS Key with Amazon Q Developer?
EXPERT
Harsh Chheda
published 10 months ago