Unable to delete KMS key

Question

When I open the customer managed keys in region eu-central-1, I can see one key, but I get the following error message:

DescribeKey request failed AccessDeniedException - User: arn:aws:iam::<MY_ACCOUNT>:user/admin is not authorized to perform: kms:DescribeKey on resource: arn:aws:kms:eu-central-1:<MY_ACCOUNT>:key/<MY_KEY_ID> because no resource-based policy allows the kms:DescribeKey action

This happens, even though I try as root or admin user who does have the permission DescribeKey.

Even using AWS CLI, I cannot do anything about this key.

This leads to the strange situation that I can see the key, but I cannot do anything about it, not even deleting it or getting any details about it. And I also cannot see how I can modify the resource-based policy of that key.

Any help is appreciated!

Accessing Keys requires a permissions' handshake. you will need to edit the keys policy to allow yourself to to edit it — Josh Beauregard, May 26 '22 at 18:21
The problem is that I don't seem to be able to do this. Using AWS CLI running the command `aws kms list-key-policies --key-id ` as admin gives me the following error: An error occurred (AccessDeniedException) when calling the ListKeyPolicies operation: User: arn:aws:iam:::user/admin is not authorized to perform: kms:ListKeyPolicies on resource: arn:aws:kms:eu-central-1::key/ because no resource-based policy allows the kms:ListKeyPolicies action — Thomas, May 26 '22 at 18:34
I just tried again with a new key: If the key policy does not contain root user, then logging in again as a root user cannot do anything about this key. — Thomas, May 27 '22 at 21:38
The key policy is by default restricted to the user who created that key. If you can figure out who that user is (via CloudTrail), and you can log in as that user (assuming it still exists!), you can then edit the key policy and assign permissions to other users. If not, the only alternative is to open a support ticket and go through the (convoluted, but doable) key recovery procedure. — Bogd, Jul 13 '23 at 09:39

Paul Rafferty · Answer 1 · 2023-05-11T22:05:04.850

I cannot comment because I don't have <50 reputation, so I'll add this as an answer: If you create a KMS key while logged in using SSO (AWS Identity Center), and then your admin deletes and recreates the permission set used to log in, you lose access to the key. Similarly, if you assume a role and create a KMS key, and that role gets recreated (eg: by Terraform / Cloudformation / script), you lose access to the key

Root user cannot delete it
You cannot recreate the original role because they have unique IDs

So basically, you're stuck with unmanageable KMS keys. Something else to note is that you could try to contact AWS Support to regain access to the KMS keys or to delete them. However, you cannot create a support ticket unless you have a paid support plan. And if you have multiple AWS accounts (isn't that recommended?) you must be paying for support in the specific account that holds the KMS keys! AWS Organizations does not consolidate AWS support under one org!

This should be the correct answer. To be fair to AWS, it is possible to recover access to the keys via a support ticket (and a very convoluted procedure), even if you do not have a paid support plan. But it is still absolutely incredible that their system allows for a situation in which you (even as the root user!!) are completely locked out from managing a resource... — Bogd, Jul 13 '23 at 09:37

score 0 · Answer 2 · answered May 26 '22 at 19:00

0

Okay, I actually found a solution. I tried to log in the name of all of my users and one of the users was actually the one having all permissions according to the resource based policy and could delete it.

Still, a bit surprising to me that root user wasn't able to do so, but I am happy to have solved it.

answered May 26 '22 at 19:00

Thomas

37
1
3

The AWS account [root user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html) has complete access to all AWS services and resources in the account. You might be referring to an IAM User with admin permissions, which is not the same thing as the root user. – jarmod May 26 '22 at 21:08
I have now already changed the key policy, but I am quite sure that with the key policy from yesterday the root user could not do anything about this key. Which did surprise me as well. – Thomas May 27 '22 at 21:27
I just tried again with a new key: If the key policy does not contain root user, then logging in again as a root user cannot do anything about this key. – Thomas May 27 '22 at 21:38

score 0 · Answer 3 · answered Apr 25 '23 at 19:09

I have the same issue today. I just figure out that the following solution and hope it will be helpful for somebody with the same issue.

issues:

DescribeKey request failed AccessDeniedException - User: arn:aws:iam::<MY_ACCOUNT>:user/admin is not authorized to perform: kms:DescribeKey on resource: arn:aws:kms:eu-central-1:<MY_ACCOUNT>:key/<MY_KEY_ID> because no resource-based policy allows the kms:DescribeKey action

root cause:

I find that only the user who creates the key has the ability to manage the key(view, edit, delete).
Even though the following permissions I tried are granted to the other user, who still cannot manage the AWS KMS keys.

AWSKeyManagementServicePowerUser

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowDescribeKey",
            "Effect": "Allow",
            "Action": [
                "kms:DescribeKey"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowUseOfAllKMSKeys",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:Encrypt"
            ],
            "Resource": "*"
        }
    ]
}

debug & resolve:

login your aws account (admin) and use CloutTrail to view which user created the keys (make sure you're in the right AWS region)
login your aws account with the user who created the keys.
in AWS KMS console, you should be able to manage the keys(view, edit, delete), as the following attached screenshot.

v-rosa · Answer 4 · 2023-05-14T16:02:51.650

0

By default root user should get permissions on the newly created CMK key, but maybe the user who created the key changed the resource policy for some reason.

You can use AWS Cloud Trail to understand how and when this key policy was changed.

edited May 14 '23 at 16:02

answered May 14 '23 at 04:57

v-rosa

101
1
5

1

As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community May 14 '23 at 14:58

Unable to delete KMS key

4 Answers4