When you create a CMK, you choose who can manage or use that CMK. These permissions are contained in a document called the key policy. You can use the key policy to add, remove, or modify permissions at any time for a customer-managed CMK, but you cannot edit the key policy for an AWS-managed CMK>>
With reference to above, what is the Admin and User permissions on a AWS-Managed CMK? Is it available to use by default for all AWS users and roles in the account?
I’ve been doing some testing around this and here is what I’ve concluded:
For AWS-Managed CMKs there are no Admin permissions, those keys are automatically created and fully managed by AWS. Each service supported by the KMS has one key per region which is automatically generated upon the first request to encrypt a supported service such as S3 or EC2 instances by a user. Any user can use the the AWS-Managed CMKs for a service which they have access to but depending on the user permissions, additional permissions might be required. For instance, if a normal non-admin account user with S3 permissions wants to encrypt an S3 object they must be granted the "kms:ListAliases" permission by a system administrator otherwise the user won’t be able to list the keys and choose the right one for encryption.
Thanks for response. The admin part is clear, with AWS managing the CMK as the name implies. What i would like to know is if a user encrypts a S3 object or EBS with this CMK, will other users be able to read it? (assuming the policy grants all users access to use the CMK).
Yes, as long as the user has read privileges on the object itself through a policy or a role (i.e. S3FullAccess) they can read the encrypted data
For reference, see the bottom of this page: https://docs.aws.amazon.com/kms/latest/developerguide/workflow.html