Which policies I need to apply to delete a key?

Question

I have an IAM user (root user) which has the following custom policies set applied via IAM group:  
  
{  
  "Version": "2012-10-17",  
  "Statement": \[  
    {  
      "Effect": "Allow",  
      "Action": \[  
        "kms:CancelKeyDeletion",  
        "kms:CreateAlias",  
        "kms:CreateKey",  
        "kms:DeleteAlias",  
        "kms:Describe*",  
        "kms:DisableKey",  
        "kms:EnableKey",  
        "kms:GenerateRandom",  
        "kms:Get*",  
        "kms:List*",  
        "kms:ScheduleKeyDeletion",  
        "kms:TagResource",  
        "kms:UntagResource",  
        "iam:ListGroups",  
        "iam:ListRoles",  
        "iam:ListUsers"  
      ],  
      "Resource": "*"  
    }  
  ]  
}  
  
Yet when I try to delete ("Schedule key deletion") an unused Lightsail key, I get the below error message:  
  
AccessDeniedException -   
User: arn:aws:iam::**userid**:root   
  is not authorized to perform:   
kms:ScheduleKeyDeletion   
  on resource:   
arn:aws:kms:us-east-1:**id**:key/**key-uuid**  
  
Which access rights are missing from the above policies set, to delete the mentioned key?  
  
I tried relogging after having applied the mentioned IAM group, for no avail.  
  
Edited by: Konstantin Boyandin on Jan 3, 2019 6:08 AM

Accepted Answer

Hi Konstantin,   
  
No, you don't pay for it. This is one of the keys that is indeed an AWS managed CMK but is showing up in your Customer managed keys console.   
  
Regards,  
  
Raj

Answer

Hello Konstantin,  
  
I am assuming that you are referring to an AWS managed CMK for Lightsail. You can confirm this by looking at its alias and see if it is of the format aws/lightsail. If that is the case, you cannot delete it. You can only view AWS managed keys but won't be able to manage them.   
  
Thanks,  
  
Raj

Answer

No, it's from "Customer managed keys" and looks like  
  
arn:aws:kms:us-east-1:012345678901:key/84aecee5-1122-2233-a1aa-e3cde666eb8a  
(all numerical parts redacted)  
  
The comment to it: "Default master key that protects my Lightsail signing keys when no other key is defined". That's strange, since I do not have Lightsail resources.  
  
Question is, do I pay for it?  
  
The explanations at KMS page are not too clear on that.

Answer

Hello Raj,  
  
Thanks for the response. This is weird. The key should be marked properly, I wasted both my time and time of those answering me here just because the key is misplaced and mislabeled.  
  
Sincerely,  
Konstantin

Answer

Hello Konstantin,  
  
Agreed. We are now aware of the issue and will fix it asap.  
  
Thanks,  
  
Raj

Which policies I need to apply to delete a key?

Relevant content