I have a power user policy attached to aws user1,user2,user3
i login as user1 to create kms key , made user2 a key admin
update key policy to make EC2-iamrole-1,EC2-iamrole-2 ,user3 as key user
user2 can still use kms keys for decryption and access files
i change kms key policy and remove user-c from key users
It seems any one who has power user policy attached their user can use the kms key even if they are not in key users
Good explanation, thanks!