How can I resolve the AWS KMS key policy error "Policy contains a statement with one or more invalid principals"?

Last updated: 2022-03-22

I tried to modify my AWS Key Management Service (AWS KMS) key policy, and I received an error in the AWS Management Console similar to the following:

"PutKeyPolicy request failed

MalformedPolicyDocumentException - Policy contains a statement with one or more invalid principals"

The AWS KMS key policy doesn't contain the Amazon Resource Name (ARN), and it contains a principal with a unique ID that is similar to AIDACKCEVSQ6C2EXAMPLE.

Short description

The AWS KMS API call PutKeyPolicy request fails when the request was rejected because the specified key policy isn't syntactically or semantically correct.

Resolution

JSON syntax

Confirm that the JSON policy document resource type is valid. To troubleshoot JSON syntax errors, paste the JSON policy document into a JSON Beautifier to check the formatting. Remove any unnecessary characters and add any missing characters. Check for duplicate JSON policy elements and duplicate SID values and remove them.

Invalid principals

Check the principal element in the JSON policy and make sure that the AWS Identity and Access Management (IAM) entity exists. Ensure that the IAM identity is correctly specified with a valid ARN.

Note: You can't use a wildcard in the portion of the ARN that specifies the resource type.

When you create IAM identities, you give them friendly names, such as Bob or Developers. For security purposes, these IAM entities are also assigned a unique ID, such as AIDACKCEVSQ6C2EXAMPLE.

For example, you have an IAM user named Alice specified in an AWS KMS key policy. Then, Alice leaves the company. After that, a new user named Alice is hired, and an IAM user is created with the same name. Unique IDs assure that the new Alice can't inherit permissions that were granted to the old Alice.

Remove the orphaned unique IDs from the key policy. For more information, see Using key policies in AWS KMS.

Note: If the AWS KMS key policy has permissions to another account or principal, the key policy is in effect only in the AWS Region that contains the KMS key. For more information, see Overview of key policies.

Invalid AWS services

If an AWS service is listed as the principal, then make sure that the service is supported by AWS KMS. The principal should be the IAM entity and kms:ViaService should be used for the AWS services making the requests on behalf of the IAM entity.

Check if the AWS service makes direct calls to AWS KMS. Not all AWS services make calls directly to AWS KMS such as Amazon Elastic Compute Cloud (Amazon EC2). Instead, AWS services such as Amazon EC2 make calls on behalf of a principal in the AWS account. AWS services that make direct calls to AWS KMS such as Amazon Simple Notification Service (Amazon SNS) must have the service principal in the principal element.

For more information, see Services that support the kms:ViaService condition key.

Opt-in AWS Region

AWS KMS keys shared with an AWS account that hasn't opted-in to the AWS Region where the key is located within the recipient account are invalid for that Region.

Make sure that the AWS Region is enabled in the recipient account or share another AWS KMS key in a Region that is enabled in the AWS account and recipient account. For more information, see Managing AWS Regions.


Did this article help?


Do you need billing or technical support?