The new key policy will not allow you to update the key policy in the future

In case this helps someone, be aware of the remark in https://aws.amazon.com/premiumsupport/knowledge-center/update-key-policy-future/

Important: Be sure that the key policy that you create allows the current user to administer the CMK.

I was having this issue while deploying my template from a pipeline and the proposed solutions did not work for me. The role used to deploy the template had the corresponding kms permissions, but it needed to be also in the principal of a the key policy!

  - Effect: Allow
    Action: kms:*
    Resource: "*"
    Principal:
      AWS:
        - !Sub arn:aws:iam::${AWS::AccountId}:role/PipelineRole

You are missing the Resource: "*" attribute. This worked for me:

  LambdaKmsKey:
    Type: AWS::KMS::Key
    Properties:
      Enabled: true
      KeyPolicy:
        Version: 2012-10-17
        Statement:
        - Effect: Allow
          Action: kms:*
          Resource: "*"
          Principal:
            AWS: !Join [ "", [ "arn:aws:iam::", !Ref "AWS::AccountId", ":root" ] ]

The Resource: "*" is required and is the only possible value:

Resource – (Required) In a key policy, you use "*" for the resource, which means "this CMK." A key policy applies only to the CMK it is attached to.

See https://aws.amazon.com/premiumsupport/knowledge-center/update-key-policy-future/ for an example.

The new key policy will not allow you to update the key policy in the future

Tags:

Amazon Web Services

Amazon Cloudformation

Aws Kms

Related

Recent Posts