- Newest
- Most votes
- Most comments
There's a hardwired safety check in KMS that tries to discourage you from modifying key permissions in a way that would block yourself the right to do so after the change.
You can bypass this safety mechanism with the --bypass-policy-lockout-safety-check
option when using the CLI to set the KMS key policy: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/put-key-policy.html
On a general note, I suggest you note that if the IAM user with permissions resides in the same account, root would implicitly have the permissions to reset the IAM user's credentials and MFA to obtain access. Unless you block this from outside the account with an AWS Organizations Service Control Policy (SCP), which is effective even against the root user, the other alternative would be to place the authorised IAM user in another AWS account, where the root of the account containing the key wouldn't have access.
Also note that root could alternatively raise a support ticket with AWS to ask them to restore access to the key in their own account.
Relevant content
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 8 months ago
Thanks Leo for that quick and very educative answer. The idea was certainly to have the user in another AWS account but your latter point about being able to reset access just by raising a support ticket makes this whole thing moot.