KMS customer managed keys aren't being deleted with my AWS root account.
I tried to change the policy to delete the key, but my AWS account does not have the PutKeyPolicy permission, so I can't change the policy either.
I'd be grateful if you could help me on what to do.
Unnecessary expenses continue to arise.
<policy of the current key>
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Allow access for all principals in the account that are authorized",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::1234567890123:root"
},
"Action": [
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Encrypt",
"kms:DescribeKey",
"kms:Decrypt",
"kms:CreateGrant"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ViaService": "eks.eu-north-1.amazonaws.com",
"kms:CallerAccount": "1234567890123"
}
}
},
{
"Sid": "Allow direct access to key metadata to the account",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::1234567890123:root"
},
"Action": [
"kms:RevokeGrant",
"kms:List*",
"kms:Get*",
"kms:Describe*"
],
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "AROA4UHUGSEYYKGM6DZJP"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "AROA4UHUGSEYTGJOEARN3"
},
"Action": [
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Encrypt",
"kms:DescribeKey",
"kms:Decrypt"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "AROA4UHUGSEYTGJOEARN3"
},
"Action": [
"kms:RevokeGrant",
"kms:ListGrants",
"kms:CreateGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
AWS 官方已更新 3 年前