Certified Security - Specialty

Sign Up Free or Log In to participate!

disabling and deleting KMS keys

Looks like users with system admin roles are no longer able to disable or delete KMS keys. Only users with Administrator Access are able to do so.

3 Answers

Deleting kms keys can be very dangerous because any data using that key will be lost. This is why only full admin users are being granted this blanket right. But any other user can disable or delete the key if they are granted key administration rights by the individual keys key policy.  This is designed so the admin users can create the keys and then delegate the rights to the required users.

Right but Ryan showed in the hands-on course that his the user “elon musk“ with the system admin right was able to disable and delete keys. I am saying system admins are no longer allowed to do this.

For AWS managed policies like the SystemAdministrator policy you can view the detailed permissions it provides and you can also view the "Policy versions" tab which shows they historical versions of this policy and what permissions it had.  This policy looks to never have been granted full KMS permissions that would allow the kms:DisableKey or kms:ScheduleKeyDeletion permissions.  

When I re watch the KMS Part 2 video I see that it shows him logging in as Elon Musk and showing he has full rights as a full administrator user and then when demoting Elon Musk to a SystemAdministrator only he was then unable to even use the KMS key at all and could not grant himself more permissions.  He was highlighting the fact that we should be careful to not grant full administrator permissions to all our system administrators because they would be able to access ALL KMS keys and should use more limited permissions like SystemAdministrator that do not have this permission for most users where possible.  He then showed logging in as John Adam the finance user that was setup with full access to this one KMS key and showed that they were able to delete the KMS key and the effect this deletion action had.  

You may have missed the bit in the video around 4:45 where he changed user from Elon to John before he did the deletion.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?