Unable to delete KMS customer-managed key (CMK) using `AdministratorAccess` Role or root login credentials

Question

A user in one of our accounts accidentally created a KMS managed key with an incorrect policy. Neither the assumed role `AdministratorAccess` nor the root account can delete this key, nor update the policy to enable key deletion.

Using AWS CLI:

```shell
➜ aws --region us-east-1 kms schedule-key-deletion --key-id  --pending-window-in-days 7

An error occurred (AccessDeniedException) when calling the ScheduleKeyDeletion operation: User: arn:aws:sts:::assumed-role/AdministratorAccess/ is not authorized to perform: kms:ScheduleKeyDeletion on resource: arn:aws:kms:us-east-1::key/ because no resource-based policy allows the kms:ScheduleKeyDeletion action

➜ aws --region us-east-1 kms put-key-policy --policy-name default --policy file://key_policy.json --key-id

An error occurred (AccessDeniedException) when calling the PutKeyPolicy operation: User: arn:aws:sts:::assumed-role/AdministratorAccess/ is not authorized to perform: kms:PutKeyPolicy on resource: arn:aws:kms:us-east-1::key/ because no resource-based policy allows the kms:PutKeyPolicy action

An error occurred (AccessDeniedException) when calling the PutKeyPolicy operation: User: arn:aws:sts:::assumed-role/AdministratorAccess/ is not authorized to perform: kms:PutKeyPolicy on resource: arn:aws:kms:us-east-1::key/ because no resource-based policy allows the kms:PutKeyPolicy action
```

As root on the web console, I get `root is not authorized to perform: kms:DescribeKey on resource` and am unable to view details, or change the deletion schedule (which never succeeds). If I try to issue a new key deletion request using the console, I get `Select only keys that aren't already scheduled for deletion.`

Answer

Hi there! I would recommend to contact AWS Support. From [KMS documentation](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html):

*...suppose you create a key policy that gives only one user access to the KMS key. If you then delete that user, the key becomes unmanageable and you must contact AWS Support to regain access to the KMS key.*

Answer

Hi!

It sounds like the key policy is locking you out and you will have to contact AWS Support.  A AWS KMS key policy does not automatically give permission to the account or any of its users, unlike other resource policies (S3 Bucket Policy).  Thus, AdministratorAccess on an IAM Entity without a proper KMS Key policy won't work.

For KMS Keys, the Key Policy must allow access to administer the KMS Key.  If you are unable to edit the policy, then you will need AWS Support to help you with cleaning up the Key.

https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html

Check out this AWS Guide on the "Default Key Policy" and how to reduce the risk of a key becoming unmanageable (which is what you have pointed out above): https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html

Answer

If access to the specific key is completely inaccessible AWS does have a method to recover access if you submit a [support](https://console.aws.amazon.com/support/home#/) ticket. They do make extra steps to make sure this method is not used to circumvent security.

Each case may be different but general steps are as follows; however, you will get specific detailed instructions in the ticket.
* Create an IAM user which a specific name including the KMS Key ID to be recovered and has the IAM policy provided in the ticket
* The ticket will provide you with a one time code which AWS will contact by phone at the number on the account owning the key
* AWS internal team will verify key is inaccessible and if confirmed will recover access to the provided IAM user

After AWS has recovered the key you can then use the IAM user to either make necessary changes to the key.

Unable to delete KMS customer-managed key (CMK) using `AdministratorAccess` Role or root login credentials

Relevant content