How do I resolve the error "The new key policy will not allow you to update the key policy in the future" when I try to create a CMK using AWS CloudFormation?

Last updated: 2019-01-14

When I create a customer master key (CMK) and define an AWS Key Management Service (AWS KMS) key policy using AWS CloudFormation, the CMK creation fails. Then, I get the following error message: "The new key policy will not allow you to update the key policy in the future." How do I resolve this error?

Short Description

AWS KMS performs safety checks when a key policy is created. One safety check confirms that the principal in the key policy has the required permissions to make the CreateKey API and PutKeyPolicy API. This check eliminates the possibility of the CMK becoming unmanageable, which means that you can't change the key policy or delete the key.

Be sure that the key policy that you create allows the current user to administer the CMK.

Resolution

When you create an AWS CloudFormation stack, the AWS Identity and Access Management (IAM) user or role used to make the CreateStack API call is also used to create resources specified in the AWS CloudFormation template.

1.    When you create a CMK using AWS CloudFormation, choose the same IAM user or role that is used for the key administrator principal for the CMK.

In the following example, the AWS CloudFormation stack is created by the IAM user arn:aws:iam::123456789012:user/Alice. The principal is designated as the key administrator. The IAM user "Alice" is now allowed to modify the key policy after the key policy is created.

"Type" : "AWS::KMS::Key",
  "Properties" : {
      "Description" : "A sample key",
      "KeyPolicy" : {
          "Version": "2012-10-17",
          "Id": "key-default-1",
          "Statement": [
              {
                  "Sid": "Allow administration of the key",
                  "Effect": "Allow",
                  "Principal": { "AWS": "arn:aws:iam::123456789012:user/Alice" },
                  "Action": [
                      "kms:Create*",
                      "kms:Describe*",
                      "kms:Enable*",
                      "kms:List*",
                      "kms:Put*",
                      "kms:Update*",
                      "kms:Revoke*",
                      "kms:Disable*",
                      "kms:Get*",
                      "kms:Delete*",
                      "kms:ScheduleKeyDeletion",
                      "kms:CancelKeyDeletion"
                  ],
                  "Resource": "*"
              },
              {
                  "Sid": "Allow use of the key",
                  "Effect": "Allow",
                  "Principal": { "AWS": "arn:aws:iam::123456789012:user/Bob" },
                  "Action": [
                      "kms:Encrypt",
                      "kms:Decrypt",
                      "kms:ReEncrypt",
                      "kms:GenerateDataKey*",
                      "kms:DescribeKey"
                  ], 
                  "Resource": "*"
              }
          ]
      }
  }
  }

2.    Set the principal key administrator.

If your AWS CloudFormation stack is created by a federated user account, set the principal as the federated user's assumed role for the Amazon Resource Name (ARN). See the following example:

"Principal": { "AWS": "arn:aws:sts::123456789012:assumed-role/FederatedAccess/FederatedUsername" }

Note: The name of the IAM role is FederatedAccess, and the name of the federated user is FederatedUsername.

If the AWS CloudFormation service role is used to create the stack, then set the principal as the service role ARN. See the following example:

"Principal": { "AWS": "arn:aws:iam::123456789012:role/ServiceRoleName” }

Note: The name of the AWS CloudFormation service role is ServiceRoleName.

Or, you can set the AWS account root user as the principal key administrator. See the following example:

"Principal": { "AWS": "arn:aws:iam::123456789012:root" }

Note: If the principal key administrator is set to the root ARN, then the IAM user, role, or service role creating the AWS CloudFormation stack must have IAM permissions to make the CreateKey and PutKeyPolicy API calls.


Did this article help you?

Anything we could improve?


Need more help?