I was messing around with AWS SES for the first time, and let the service create some default encryption keys for a new organization to encrypt emails. However, when I deleted that organization, the keys stayed behind. I am now unable to schedule them for deletion because I don't have the requisite permissions, even when signed as the root user. Here is the current policy for these keys:
{
"Version": "2012-10-17",
"Id": "auto-ses-2",
"Statement": [
{
"Sid": "Allow SES to encrypt messages belonging to this account",
"Effect": "Allow",
"Principal": {
"Service": "ses.us-east-1.amazonaws.com"
},
"Action": [
"kms:Encrypt",
"kms:GenerateDataKey*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:EncryptionContext:aws:ses:source-account": "915144628597"
},
"Null": {
"kms:EncryptionContext:aws:ses:rule-name": "false",
"kms:EncryptionContext:aws:ses:message-id": "false"
}
}
},
{
"Sid": "Allow SES to describe this key",
"Effect": "Allow",
"Principal": {
"Service": "ses.us-east-1.amazonaws.com"
},
"Action": "kms:DescribeKey",
"Resource": "*"
},
{
"Sid": "Allow direct access to key metadata & decryption to the account",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::915144628597:root"
},
"Action": [
"kms:Describe*",
"kms:Get*",
"kms:List*",
"kms:Decrypt",
"kms:ReEncryptFrom"
],
"Resource": "*"
}
]
}
As you can see, the root account has neither permission to schedule key deletion, nor even to put a new key policy. So as far as I can tell, I have literally no way of removing these keys. All documentation and previous posts that I could find on this matter assume that the user created the key themselves, which I did not. So I thought I'd ask the community for suggestions before messing with filing a customer service ticket. Your help is much appreciated!
