When you create a CMK, you choose who can manage or use that CMK. These permissions are contained in a document called the key policy. You can use the key policy to add, remove, or modify permissions at any time for a customer-managed CMK, but you cannot edit the key policy for an AWS-managed CMK>>
With reference to above, what is the Admin and User permissions on a AWS-Managed CMK? Is it available to use by default for all AWS users and roles in the account?
I’ve been doing some testing around this and here is what I’ve concluded:
For AWS-Managed CMKs there are no Admin permissions, those keys are automatically created and fully managed by AWS. Each service supported by the KMS has one key per region which is automatically generated upon the first request to encrypt a supported service such as S3 or EC2 instances by a user. Any user can use the the AWS-Managed CMKs for a service which they have access to but depending on the user permissions, additional permissions might be required. For instance, if a normal non-admin account user with S3 permissions wants to encrypt an S3 object they must be granted the "kms:ListAliases" permission by a system administrator otherwise the user won’t be able to list the keys and choose the right one for encryption.