Unable to delete KMS key

Question

When I open the customer managed keys in region eu-central-1, I can see one key, but I get the following error message:

DescribeKey request failed AccessDeniedException - User: arn:aws:iam::<MY_ACCOUNT>:user/admin is not authorized to perform: kms:DescribeKey on resource: arn:aws:kms:eu-central-1:<MY_ACCOUNT>:key/<MY_KEY_ID> because no resource-based policy allows the kms:DescribeKey action

This happens, even though I try as root or admin user who does have the permission DescribeKey.

Even using AWS CLI, I cannot do anything about this key.

This leads to the strange situation that I can see the key, but I cannot do anything about it, not even deleting it or getting any details about it. And I also cannot see how I can modify the resource-based policy of that key.

Any help is appreciated!

Answer 1

I cannot comment because I don't have <50 reputation, so I'll add this as an answer: If you create a KMS key while logged in using SSO (AWS Identity Center), and then your admin deletes and recreates the permission set used to log in, you lose access to the key. Similarly, if you assume a role and create a KMS key, and that role gets recreated (eg: by Terraform / Cloudformation / script), you lose access to the key

• Root user cannot delete it
• You cannot recreate the original role because they have unique IDs

So basically, you're stuck with unmanageable KMS keys. Something else to note is that you could try to contact AWS Support to regain access to the KMS keys or to delete them. However, you cannot create a support ticket unless you have a paid support plan. And if you have multiple AWS accounts (isn't that recommended?) you must be paying for support in the specific account that holds the KMS keys! AWS Organizations does not consolidate AWS support under one org!