In the discussion about KMS key policy, Mike mentions that root does not have access unless specified in the policy and highlights the danger of root not having access, but root has full permissions by default so not sure it’s necessary to put the bullet below in the slide and sound the alarm. I suppose an argument could be made that Mike is warning you about the implications of removing root from the policy. If that’s the case, I think the discussion and slide could be modified to make that clearer.
- Root does not have access unless they’re specified in the Key Policy
So the bullet point it correct. But as you say the access may be added by default, but only if you don’t specify an alternative.
In an environment where CLI and API is used, and where policy documents are provided as an input of course, you won’t get that default.
I think it’s a good point to highlight, as its one of the only places (if not the only place) where you can lock out the root user.