I try to create a customer master key (CMK) and define an AWS Key Management Service (AWS KMS) key policy using AWS CloudFormation, but the CMK creation fails with the error message "The new key policy will not allow you to update the key policy in the future." How do I resolve this?

AWS KMS performs safety checks when a key policy is created, including a check that the principal making the CreateKey request is also allowed to make a PutKeyPolicy API call. This helps reduce the chances that your CMK becomes unmanageable—that is, you won’t be able to change or delete it.

Make sure that the key policy you’re creating allows the current user to administer the CMK. For an example, see Allows Key Administrators to Administer the CMK.

When creating a CloudFormation stack, the IAM user or role used to make the CreateStack API call is also used to create resources in the stack. When creating a CMK, specify this same IAM user or role as the principal for management of the CMK, as in the following example (which assumes the CloudFormation stack is created by the IAM user "Alice" on account "123456789012"):

    "myKey" : {
      "Type" : "AWS::KMS::Key",
      "Properties" : {
          "Description" : "A sample key",
          "KeyPolicy" : {
              "Version": "2012-10-17",
              "Id": "key-default-1",
              "Statement": [
                      "Sid": "Allow administration of the key",
                      "Effect": "Allow",
                      "Principal": { "AWS": "arn:aws:iam::123456789012:user/Alice" },
                      "Action": [
                      "Resource": "*"
                      "Sid": "Allow use of the key",
                      "Effect": "Allow",
                      "Principal": { "AWS": "arn:aws:iam::123456789012:user/Bob" },
                      "Action": [
                      "Resource": "*"

If your CloudFormation stack is created by a federated user account, set the principal as the federated user’s assumed role ARN, as in the following example (where "FederatedAccess" is the name of your federated access IAM Role and "FederatedUsername" is the name of the federated user):

"Principal": { "AWS": "arn:aws:sts::123456789012:assumed-role/FederatedAccess/FederatedUsername" }

Or, the AWS account root user can be specified as the Principal. This passes the key policy safety lockout check and allow the KMS key to be created, as in the following example:

"Principal": { "AWS": "arn:aws:iam::123456789012:root" }

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2016-08-19

Updated: 2018-05-16