🔐
AWS SCS-C01
  • Practice Test Scores
  • Domain 1 - Incident Response
    • Incident Response
    • Exposed AWS Access Keys
    • Compromised EC2 Instance
    • How do you report abuse of AWS resources?
    • GuardDuty
    • Penetration Testing
  • Domain 2 - Logging & Monitoring
    • Some Basics
    • Inspector
    • Security Hub
    • AWS WAF
    • Systems Manager
    • Systems Manager Features
    • CloudWatch Logs
    • Athena
    • CloudTrail
    • Config
    • Trusted Advisor
    • CloudTrail Log File Integrity
    • Macie
    • S3 Event Notifications
    • VPC Flow Logs
    • Centralized Logging Architecture
  • Domain 3 - Infrastructure Security
    • Bastion Hosts
    • Site-to-Site VPN
    • VPC Peering
    • VPC Endpoints
    • Network ACL
    • Firewall vs IPS vs IDS
    • EBS
    • CloudFront
    • Shield
    • Mitigating DDoS Attacks
    • EC2 Key Pair Troubleshooting
    • EC2 Tenancy
    • Artifact
    • Lambda@Edge
    • Simple Email Service (SES)
    • DNS Support in VPC
  • Domain 4 - Identity & Access Management
    • Organizations
    • IAM Policy Evaluation Logic
    • Understanding IAM Policies
    • IAM Tutorial: Delegate access across AWS accounts using IAM roles
    • External ID
    • iptables
    • IAM policy elements: Version
    • IAM policy elements: Variables and tags
    • Policy elements: Principal and NotPrincipal
    • IAM policy elements: Condition
    • Security Token Service (STS)
    • Identity federation in AWS
    • Enabling SAML for your AWS resources
    • Single Sign-On
    • Cognito
    • Directory Service
    • Trusts in Active Directory
    • Example S3 Bucket Policies
    • Cross-account access to S3 buckets using Resource-based policies and IAM policies
    • S3 Access Control Lists (ACLs)
    • Presigned URLs
    • S3 Versioning
    • S3 Cross-Region Replication (CRR)
    • S3 Object Lock
    • Configuring MFA-protected API access
    • IAM Permission Boundaries
  • Domain 5 - Data Protection
  • CloudHSM
  • Key Management Service (KMS)
  • Symmetric CMKs vs Asymmetric CMKs
  • Data Key Caching
  • Deleting KMS CMKs
  • Default KMS Key Policy
  • Managing access to KMS CMKs
  • KMS CMK Key Types
  • Rotating KMS CMKs
  • Example Key Policies for KMS Questions
  • KMS Grants
  • KMS CLI Commands
  • Importing key material in KMS
  • KMS Condition Keys
  • Migrating Encrypted KMS Data Across Regions
  • KMS Encryption Context
  • CloudHSM vs KMS
  • S3 Data Encryption
  • Application Load Balancer (ALB)
  • ELB Listeners Part 1
  • ELB Listeners Part 2
  • AWS Certificate Manager (ACM)
  • Glacier
  • DynamoDB Encryption
  • AWS Secrets Manager
  • Summaries
    • Domain 1
    • Domain 2
    • Domain 3
    • Domain 4
    • Domain 5
Powered by GitBook
On this page
  • Reduces the risk of the CMK becoming unmanageable.
  • Enables IAM policies to allow access to the CMK.

Was this helpful?

Default KMS Key Policy

  • The default key policy gives the AWS account (root user) that owns the CMK full access to the CMK, which accomplishes the following two things:

Reduces the risk of the CMK becoming unmanageable.

  • You cannot delete your AWS account's root user, so allowing access to this user reduces the risk of the CMK becoming unmanageable.

  • For example, if a CMK's key policy allows only one IAM user, Alice, to manage the CMK and his key policy does not allow access to the root user. Later, someone deletes IAM user Alice.

    • In this scenario, the CMK is now unmanageable, and you must contact AWS Support to regain access to the CMK.

      • The root user does not have access to the CMK, because the root user can access a CMK only when the key policy explicitly allows it. This is different from most other resources in AWS, which implicitly allow access to the root user.

Enables IAM policies to allow access to the CMK.

  • IAM policies by themselves are not sufficient to allow access to a CMK. However, you can use them in combination with a CMK's key policy if the key policy enables it.

  • Giving the AWS account full access to the CMK does this; it enables you to use IAM policies to give IAM users and roles in the account access to the CMK.

PreviousDeleting KMS CMKsNextManaging access to KMS CMKs

Last updated 4 years ago

Was this helpful?