How can I resolve the CMK key policy error "Policy contains a statement with one or more invalid principals"?

Last updated: 2019-01-09

When I try to modify my AWS Key Management Service (AWS KMS) customer master key (CMK) key policy, the AWS Management Console displays the error "Policy contains a statement with one or more invalid principals". The CMK policy does not contain the Amazon Resource Name (ARN), and it contains a principal with a unique ID that is similar to AIDAJQABLZS4A3QDU576Q.

Short Description

When you create AWS Identity and Access Management (IAM) identities, you give them friendly names, such as Bob or Developers. IAM entities are identified with friendly names and ARNs. For security purposes, these IAM entities are also assigned a unique ID, such as AIDAJQABLZS4A3QDU576Q.

For example, you have an IAM user named Alice specified in an AWS KMS key policy, and Alice leaves the company. Then, a new user named Alice is hired, and an IAM user is created with the same name. Unique IDs assure that the new Alice can't inherit permissions that were granted to the old Alice.

Resolution

Remove the orphaned unique IDs from the key policy. For more information, see Using Key Policies in AWS KMS.


Did this article help you?

Anything we could improve?


Need more help?