Certified Security - Specialty

Sign Up Free or Log In to participate!

In KMS Part 2, after CFO scheduled deletion of the Master key, Can root user just remove the encryption in S3?

It seems that root user can change the S3 encryption to None at anytime, can someone please confirm if that’s still doable after the deletion of Master key?

4 Answers

No, it’s not possible. I’ve just tried to do that and it throws " An unexpected error occurred" at the console. File data is really lost.

I went in as the Administrator and changed the encryption back to none for the file. When I clicked save, it said there was "an unexpected error." I tried this several times, and it didn’t work. This is because the file was encrypted to a particular user, John.Adams.  Therefore the Administrator cannot fix this, if the user has deleted the key. Interestingly, as the Administrator, I was able to re-enable the key. So if the key has not been deleted (marked for deletion can take place in as short as 7 days), then you would be able to decrypt the files.


Mike on Ryan kMS video when he disabled the key. He tried using another account with admin user or root user permission and he was not able to see it since the key was disabled pending deletion. During the pending deletion timeframe u can restore the key and then it will work.

To expound a little, removing the encryption in S3 would require that the data be decrypted. Since the key has been deleted (assuming the wait period has expired), it is impossible to decrypt the data. So it’s not that an administrator can’t remove the encryption in S3, but that when the admin tries AWS can’t find the key to decrypt the data.

In this example where the CFO scheduled the key for deletion, you should have a CloudWatch event notifying you that a key has been scheduled for deletion.  In this scenario where the CFO was doing something malicious, you would need to log in as a full admin or the root user, cancel the key deletion, enable the KMS key, (and probably revoke the CFO’s access to the key or AWS).  Once the key is re-enabled, users with access to the key can interact with encrypted resources normally, including for S3 changing or removing SSE via that KMS key.

Chuck Dota

After reviewing the lession, the question should be asked if a non-admin user should even have the ability to delete a KMS key? It would be a situation of a custom KMS policy being created I believe.

Balaji Venkatraman

NO I dont think so..only the user who has created the keys or who is eligible to administer it can delete the key..Further help needed root can always be used for enabling/deleting/managing the keys but not allowed to access the encrypted data as only the owner has the right to do so.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?