How can I resolve the CMK key policy error "Policy contains a statement with one or more invalid principals"?

Last updated: 2020-12-29

When I try to modify my AWS Key Management Service (AWS KMS) customer master key (CMK) key policy, the AWS Management Console displays the error "Policy contains a statement with one or more invalid principals".

The CMK policy doesn't contain the Amazon Resource Name (ARN), and it contains a principal with a unique ID that is similar to AIDACKCEVSQ6C2EXAMPLE.

Short description

When you create AWS Identity and Access Management (IAM) identities, you give them friendly names, such as Bob or Developers. IAM entities are identified with friendly names and ARNs. For security purposes, these IAM entities are also assigned a unique ID, such as AIDACKCEVSQ6C2EXAMPLE.

For example, you have an IAM user named Alice specified in an AWS KMS key policy, and Alice leaves the company. Then, a new user named Alice is hired, and an IAM user is created with the same name. Unique IDs assure that the new Alice can't inherit permissions that were granted to the old Alice.


Remove the orphaned unique IDs from the key policy. For more information, see Using key policies in AWS KMS.

Did this article help?

Do you need billing or technical support?