Why am I unable to read or update a KMS key policy in AWS KMS?

Last updated: 2021-08-26

I want to update a AWS KMS key policy in AWS Key Management Service (AWS KMS). I verified that I have administrator permissions for my AWS Identity and Access Management (IAM) identities (users, groups, and roles), but I can't read or update the KMS key policy.

Short description

IAM principals must have the API action permission GetKeyPolicy to read a key policy, and PutKeyPolicy to update a policy. These permissions are granted either directly with the key policy, or a combination of the key and IAM policies. For more information, see Managing access to AWS KMS keys.

The default KMS key IAM policy contains a statement similar to the following:

{
  "Sid": "Enable IAM User Permissions",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::111122223333:root"
  },
  "Action": "kms:*",
  "Resource": "*"
}

The IAM entities for the AWS account 111122223333 can perform any AWS KMS actions allowed in the attached policy. If the entities can't perform API actions such as GetKeyPolicy or PutKeyPolicy even if allowed permissions in their attached policies, then the statement "Enable IAM User Permissions" might have changed.

Resolution

Verify IAM policy permissions

Make sure that your IAM entities have permission to read and update a KMS key similar to the following IAM policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:Create*",
        "kms:Describe*",
        "kms:Enable*",
        "kms:List*",
        "kms:Put*",
        "kms:Update*",
        "kms:Revoke*",
        "kms:Disable*",
        "kms:Get*",
        "kms:Delete*",
        "kms:TagResource",
        "kms:UntagResource",
        "kms:ScheduleKeyDeletion",
        "kms:CancelKeyDeletion"
      ],
      "Resource": "arn:aws:kms:*:111122223333:key/*"
    }
  ]
}

Use CloudTrail event history

1.    Open the AWS CloudTrail console, and then choose Event history.

2.    Choose the Lookup attributes dropdown list, and then choose Event name.

3.    In the search window, enter PutKeyPolicy.

4.    Open the most recent PutKeyPolicy event.

5.    In Event record, copy the policy, and paste it into your favorite text editor.

6.    Parse the policy into a readable format.

7.    In the IAM policy Sid "Allow access for Key Administrators", note the IAM identity administrators similar to the following:

{
  "Sid": "Allow access for Key Administrators",
  "Effect": "Allow",
  "Principal": {
    "AWS": [
      "arn:aws:iam::111122223333:role/Administrator"
    ]
   },

Key administrators can then be used to regain access to the key.

Use Athena queries

If the CloudTrail event history event is past 90 days, you can use Amazon Athena to search through CloudTrail logs.

For instructions, see Using the CloudTrail console to create an Athena table for CloudTrail logs.

For more information, see How do I automatically create tables in Athena to search through CloudTrail logs?


Did this article help?


Do you need billing or technical support?