Under the page https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying.html, Changing Key Policy, I suggest to include the following relevant yet important point (with the suggested examples):
KMS will only allow the currently authenticated entity to make a change to the Key policy Principal's entry, if both match.
For example, if the KMS key policy has the following entry:
{
"Sid": "Enable IAM policies",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "kms:*",
"Resource": "*"
}
Even if the root user is currently logged in to the console, that root user wont be able to change this policy to the following, as they will receive an access denied:
{
"Sid": "Enable IAM policies",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:user/user123"
},
"Action": "kms:*",
"Resource": "*"
}
However, if user123 has an identity policy attached to them allowing for example kms:*, and user123 logs in to the console, then they could change the key policy to the following:
{
"Sid": "Enable IAM policies",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:user/user123"
},
"Action": "kms:*",
"Resource": "*"
}
but they would not even be able to revert the Key policy to the default one, even if they tried the following:
{
"Sid": "Enable IAM policies",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "kms:*",
"Resource": "*"
}
Lastly, please note that this behavior would basically allow an IAM user, which has enough KMS privileges (ex. KMS:*) to take full ownership of the KMS key, while disallowing all others users, including the root-account user itself.
Please let me know if these two behaviors are mentioned or explained clearly anywhere else in the KMS documentation.
Thank you for your support and hard work.