When I try to modify my AWS Key Management Service (AWS KMS) customer master key (CMK) key policy, the AWS Management Console displays the error "Policy contains a statement with one or more invalid principals". The CMK policy does not contain the Amazon Resource Name (ARN), and it contains a principal with a unique ID that is similar to AIDAJQABLZS4A3QDU576Q.

When you create AWS Identity and Access Management (IAM) identities, you give them friendly names, such as Bob or Developers. IAM entities are identified with friendly names and ARNs. For security purposes, these IAM entities are also assigned a unique ID, such as AIDAJQABLZS4A3QDU576Q.

For example, you have an IAM user named Alice specified in an AWS KMS key policy, and Alice leaves the company. Then, a new user named Alice is hired, and an IAM user is created with the same name. Unique IDs assure that the new Alice can't inherit permissions that were granted to the old Alice.

Remove the orphaned unique IDs from the key policy. For more information, see Using Key Policies in AWS KMS.


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2019-01-09