KMS - Best practice on using root principal in Key policy

Question

What are the best practices from AWS on using root Principle (delegate all access to IAM) vs tightly scoped individual IAM principles.
what is the best practice from AWS on using root principle in Key Policy? Is it better to delegate access to IAM (aka root principle) or use tightly scoped principles for each individual IAM policy access?

Kidd Ip · Answer

Below the best practices by AWS:

•	Enable IAM Policies: 
AWS recommends enabling IAM policies in the key policy for most use cases, as it simplifies access management.
•	Use Least Privilege: 
Whether using the root principal or individual principals, always follow the principle of least privilege to minimize security risks.
•	Audit and Monitor: 
Regularly review key policies and IAM policies to ensure they align with your security and compliance requirements.

https://docs.aws.amazon.com/prescriptive-guidance/latest/encryption-best-practices/kms.html

https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html

Taz · Answer

Hey,

Hope you're keeping well.

In most cases, AWS recommends including the root account principal (`"AWS": "arn:aws:iam:::root"`) in the KMS key policy to delegate permission control to IAM policies. This approach centralizes access management, making it easier to apply changes and maintain least privilege via IAM roles and policies. For highly sensitive keys, you can restrict the key policy to explicit principals, but that requires updating the key policy every time you add or remove access. The key point is to ensure your policy grants only the minimum required actions and to regularly audit both the key policy and IAM permissions.

Thanks and regards,  
Taz

KMS - Best practice on using root principal in Key policy

Add your answer

Relevant content