paulz
To truly restrict access to a key you should use key policies and not rely on IAM policies alone. There are various use cases where you need full admin access in the account but should not have access to the data in the account. This is where we use our admin accounts to provision a key for someone and put a key policy on the key that prevents anybody other than the intended person / role to perform administrative actions on the key after creation.
This applies to all services that support resources policies.
Note: The Administrator policy is not "god mode", the root user is "god mode" and even the root user is bound by the SCPs on the account / ou.
Paulz is correct, he knows what he is talking about. Key Policies should be used instead of or in addition to IAM policies for CMKs for a more secure architecture.