- Newest
- Most votes
- Most comments
Hi there! I would recommend to contact AWS Support. From KMS documentation:
...suppose you create a key policy that gives only one user access to the KMS key. If you then delete that user, the key becomes unmanageable and you must contact AWS Support to regain access to the KMS key.
Hi!
It sounds like the key policy is locking you out and you will have to contact AWS Support. A AWS KMS key policy does not automatically give permission to the account or any of its users, unlike other resource policies (S3 Bucket Policy). Thus, AdministratorAccess on an IAM Entity without a proper KMS Key policy won't work.
For KMS Keys, the Key Policy must allow access to administer the KMS Key. If you are unable to edit the policy, then you will need AWS Support to help you with cleaning up the Key.
https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
Check out this AWS Guide on the "Default Key Policy" and how to reduce the risk of a key becoming unmanageable (which is what you have pointed out above): https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html
If access to the specific key is completely inaccessible AWS does have a method to recover access if you submit a support ticket. They do make extra steps to make sure this method is not used to circumvent security.
Each case may be different but general steps are as follows; however, you will get specific detailed instructions in the ticket.
- Create an IAM user which a specific name including the KMS Key ID to be recovered and has the IAM policy provided in the ticket
- The ticket will provide you with a one time code which AWS will contact by phone at the number on the account owning the key
- AWS internal team will verify key is inaccessible and if confirmed will recover access to the provided IAM user
After AWS has recovered the key you can then use the IAM user to either make necessary changes to the key.
Relevant content
- asked a year ago
- Accepted Answerasked 4 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 2 months ago
Thanks, that's what I expected. I guess we'll have to add paid support to that account.