1 Answers
Lawrence,
What the default key policy is saying is that for this key, the account 111122223333 (aka its root user) is allowed to delegate any permissions within the scope of kms:* to principals in the account via IAM policies. The default policy as is does not give access to specific principals on its own. To do so you’d have to 1) configure permissions to the key in the principal’s IAM policy or 2) modify the default key policy and explicitly specify the principal.
You’re correct that the key policy could be used to limit access as well, you could do this via explicit deny. Or you could reduce the kms:* scope in the key policy, but this would also reduce the possible permissions that account 111122223333 could delegate.
Thought this article was helpful for understanding the default key policy: https://github.com/awsdocs/aws-kms-developer-guide/blob/master/doc_source/determining-access-key-policy.md
This flowchart is really handy as well: https://docs.aws.amazon.com/kms/latest/developerguide/policy-evaluation.html
Note that since a KMS key policy is a resource-based policy, the policy evaluation logic changes a bit depending on whether or not the principal is in the same account.
Hope this helps.
Thanks CL. The penny has dropped for me.