I have created a group with policy "AdministratorAccess". Add a user in this group, name "User_admin". I create a new CMK in KMS by the name "Test_CMK". "User_admin" have access to "Key user" not "Key administartor" to the ket "Test_CMK" . When I am login the console using the user name "User_admin" I can enable/Disable the "Test_Cmk" key. Though "User_admin" is not "Key administrator" for the "Test_CMK". Could you please let me know whee I am wrong here, I thought user "User_Admin" don’t have access "Enable/Disbale" the key.
2 Answers
AdministratorAccess is like God. It can do everything*, even if you don’t explicitly specify. This is explained in KMS Part 2.
Your KMS key policy has ALLOW statements in it, allowing "Useradmin" to use the key. It does not have DENY statements preventing "Useradmin" from administering the key. Separately, "Useradmin" is in an IAM group (Administrators) that has an IAM policy that ALLOWs access to *:* – full, unrestricted access to all services (including KMS).
So – ALLOW from the group IAM policy & NO DENY on the key policy == "Useradmin" is allowed to admin the key.
If you added an explicit DENY to the Key Policy denying the user "Useradmin" from administering the key, the explicit DENY in the key policy would overrule the ALLOW statement in the IAM policy.
Do note that Administrators have so much access that they can usually work around these limits: for example – creating a new user, adding that user to the Administrators group, and since the new user is not explicitly denied – they could administer the key.
*There are some things that can only be done by root, but AdministratorAccess is as close to root as you can get without being root.