It seems that root user can change the S3 encryption to None at anytime, can someone please confirm if that’s still doable after the deletion of Master key?
No, it’s not possible. I’ve just tried to do that and it throws " An unexpected error occurred" at the console. File data is really lost.
I went in as the Administrator and changed the encryption back to none for the file. When I clicked save, it said there was "an unexpected error." I tried this several times, and it didn’t work. This is because the file was encrypted to a particular user, John.Adams. Therefore the Administrator cannot fix this, if the user has deleted the key. Interestingly, as the Administrator, I was able to re-enable the key. So if the key has not been deleted (marked for deletion can take place in as short as 7 days), then you would be able to decrypt the files.
To expound a little, removing the encryption in S3 would require that the data be decrypted. Since the key has been deleted (assuming the wait period has expired), it is impossible to decrypt the data. So it’s not that an administrator can’t remove the encryption in S3, but that when the admin tries AWS can’t find the key to decrypt the data.
In this example where the CFO scheduled the key for deletion, you should have a CloudWatch event notifying you that a key has been scheduled for deletion. In this scenario where the CFO was doing something malicious, you would need to log in as a full admin or the root user, cancel the key deletion, enable the KMS key, (and probably revoke the CFO’s access to the key or AWS). Once the key is re-enabled, users with access to the key can interact with encrypted resources normally, including for S3 changing or removing SSE via that KMS key.