How can I resolve the KMS key policy error "Policy contains a statement with one or more invalid principals"?

Last updated: 2021-08-26

When I try to modify my AWS Key Management Service (AWS KMS) key policy, the AWS Management Console displays the error "Policy contains a statement with one or more invalid principals".

The KMS key policy doesn't contain the Amazon Resource Name (ARN), and it contains a principal with a unique ID that is similar to AIDACKCEVSQ6C2EXAMPLE.

Short description

When you create AWS Identity and Access Management (IAM) identities, you give them friendly names, such as Bob or Developers. IAM entities are identified with friendly names and ARNs. For security purposes, these IAM entities are also assigned a unique ID, such as AIDACKCEVSQ6C2EXAMPLE.

For example, you have an IAM user named Alice specified in an AWS KMS key policy, and Alice leaves the company. Then, a new user named Alice is hired, and an IAM user is created with the same name. Unique IDs assure that the new Alice can't inherit permissions that were granted to the old Alice.

Note: If the KMS key policy has permissions to another account or principal, the key policy is effective only in the Region that hosts the KMS key. For more information, see Overview of key policies.

Resolution

Remove the orphaned unique IDs from the key policy. For more information, see Using key policies in AWS KMS.


Did this article help?


Do you need billing or technical support?