There are no implicit or automatic permission to use or manage a KMS key. The primary way to manage access to your AWS KMS resources is with policies. KMS keys belong to the AWS account in which they were created. However, no identity or principal, including the AWS account root user, has permission to use or manage a KMS key unless that permission is explicitly provided in a key policy, IAM policy or grant. The IAM identity who creates a KMS key is not considered to be the key owner and they don't automatically have permission to use or manage the KMS key that they created. Like any other identity, the key creator needs to get permission through a key policy, IAM policy, or grant. However, identities who have the kms:CreateKey permission can set the initial key policy and give themselves permission to use or manage the key. To better understand KMS you can read for example docs.aws.amazon.com/kms/latest/developerguide/control-access.html
you did a great job explaining it, great graphics, it's nice to watch
thanks for feedback :)
Thank you for this tutorial it is very useful
No problem. New tutorial coming soon
For resource kms don’t work
Is different for key policy?
There are no implicit or automatic permission to use or manage a KMS key.
The primary way to manage access to your AWS KMS resources is with policies.
KMS keys belong to the AWS account in which they were created. However, no identity or principal, including the AWS account root user, has permission to use or manage a KMS key unless that permission is explicitly provided in a key policy, IAM policy or grant. The IAM identity who creates a KMS key is not considered to be the key owner and they don't automatically have permission to use or manage the KMS key that they created. Like any other identity, the key creator needs to get permission through a key policy, IAM policy, or grant. However, identities who have the kms:CreateKey permission can set the initial key policy and give themselves permission to use or manage the key.
To better understand KMS you can read for example docs.aws.amazon.com/kms/latest/developerguide/control-access.html
@@WojciechLepczynski thanks for your explanation, I was a bit confused with the key policy.
sure, no problem KMS, especially cross-account and cross-region can be confusing
Ur name I m. Unable to read or speak, btw good 🎥
Thanks for the feedback, new video coming soon.
If you need any evidence that AWS is pure mess riding on marketing, this is perfect example.
What do you mean Marko?