Reduces the risk of the CMK becoming unmanageable

Hi,

found something interesting : in the link https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam, you can read :

You cannot delete your AWS account’s root user, so allowing access to this user reduces the risk of the CMK becoming unmanageable. Consider this scenario:

A CMK’s key policy allows only one IAM user, Alice, to manage the CMK. This key policy does not allow access to the root user.

Someone deletes IAM user Alice.

In this scenario, the CMK is now unmanageable, and you must contact AWS Support to regain access to the CMK. The root user does not have access to the CMK, because the root user can access a CMK only when the key policy explicitly allows it. This is different from most other resources in AWS, which implicitly allow access to the root user.

and in the same page (a few lines after) : 

Warning

Even though key administrators do not have permissions to use the CMK to encrypt and decrypt data, they do have permission to modify the key policy. This means they can give themselves these permissions.

So I don’t understand, a root user couldn’t access the key policy, update it and give the necessary permissions to use the key ? I’m confused…

Can you help me ?

thx a lot