Why can't I read or update an AWS KMS key policy in AWS KMS?

3 minute read

I want to update a AWS KMS key policy in AWS Key Management Service (AWS KMS). I verified that I have administrator permissions for my AWS Identity and Access Management (IAM) identities (users, groups, and roles). However, I can't read or update the KMS key policy.

Short description

IAM principals must have the API action permission GetKeyPolicy to read a key policy, and PutKeyPolicy to update a policy. These permissions are granted either directly with the key policy, or a combination of the key and IAM policies. For more information, see AWS Key Management Service.

The default AWS KMS key IAM policy contains a statement similar to this:

{  "Sid": "Enable IAM User Permissions",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::111122223333:root"
  "Action": "kms:*",
  "Resource": "*"

The IAM entities for the AWS account 111122223333 can perform any AWS KMS actions allowed in the attached policy. Sometimes entities can't perform API actions such as GetKeyPolicy or PutKeyPolicy even if their attached policies include the permissions. To resolve this error, check whether the statement "Enable IAM User Permissions" was changed.


Check IAM policy permissions

Make sure that your IAM entities have permission to read and update an AWS KMS key similar to this IAM policy:

{  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Action": [
      "Resource": "arn:aws:kms:*:111122223333:key/*"

Use CloudTrail event history

  1. Open the AWS CloudTrail console, and then choose Event history.
  2. Choose the Lookup attributes dropdown list, and then choose Event name.
  3. In the search window, enter PutKeyPolicy.
  4. Open the most recent PutKeyPolicy event.
  5. In Event record, copy the policy, and paste it into your favorite text editor.
  6. Parse the policy into a readable format.
  7. In the IAM policy Sid "Allow access for Key Administrators", note the IAM identity administrators similar to this:
{  "Sid": "Allow access for Key Administrators",
  "Effect": "Allow",
  "Principal": {
    "AWS": [

Key administrators can then be used to regain access to the key.

Use Athena queries

If the CloudTrail event history event is past 90 days, you can use Amazon Athena to search through CloudTrail logs. For instructions, see Use the CloudTrail console to create an Athena table for CloudTrail logs.

For more information, see How do I automatically create tables in Athena to search through CloudTrail logs?

Related information

Secure access keys

AWS KMS concepts

AWS OFFICIALUpdated 6 months ago
No comments