Why does the default KMS key policy give access to the root principal?

The default key policy grants kms:* to the root principal (arn:aws:iam::ACCOUNT:root) not to give the root user direct access, but to enable IAM policies in the account to control key access. Without this statement, no IAM policy — including those attached to administrators — can grant KMS permissions, and only the key policy itself controls access. Removing this statement risks permanently locking everyone out of the key if the key policy does not include other explicit grants.

What is the difference between a key policy and a KMS grant?

Key policies are JSON documents attached directly to the key, like resource-based policies on S3 buckets. Grants are programmatic, temporary access tokens that allow a principal to use a key for specific operations. AWS services use grants extensively — when you create an encrypted EBS volume, EBS creates a grant on the KMS key so it can decrypt the volume key. Grants can be revoked instantly and do not require modifying the key policy, making them ideal for transient access.

AWS KMS Key Policy Builder

IAM & SecurityAWS

Build KMS key policies with principals, conditions, and common grant patterns.

KMS Key Policy Configuration

AWS Account ID

Key Administrator ARNs

Key User ARNs

Service Grant Patterns

Amazon S3s3.amazonaws.com

Allow S3 to use this key for SSE-KMS encryption

Amazon EBSec2.amazonaws.com

Allow EBS to use this key for volume encryption

Amazon RDSrds.amazonaws.com

Allow RDS to use this key for database encryption

AWS Lambdalambda.amazonaws.com

Allow Lambda to use this key for environment variable encryption

CloudWatch Logslogs.amazonaws.com

Allow CloudWatch Logs to use this key for log group encryption

Key Rotation

Note: Key rotation is a key-level setting, not part of the key policy itself

Cross-Account Access

Generated KMS Key Policy

Output will appear here...

About This Tool

AWS KMS key policies are the primary access control mechanism for encryption keys — unlike most AWS resources, KMS keys do not inherit permissions from IAM policies unless the key policy explicitly allows it. This makes key policies uniquely critical: a misconfigured key policy can either lock everyone (including root) out of the key permanently or grant unintended decryption access across accounts. The builder provides guided forms for key administrators, key users, grant patterns, and cross-account access with appropriate conditions, following AWS's recommended key policy structure.

When to Use This Tool

•Building key policies that separate key administrators (who manage the key) from key users (who encrypt/decrypt with it) following least-privilege principles
•Configuring cross-account key access for sharing encrypted S3 buckets, EBS snapshots, or RDS backups across AWS accounts
•Setting up grant-based access patterns for AWS services like EBS, RDS, and Lambda that need temporary key access via grants
•Creating key policies that allow IAM policies to control access — which requires an explicit statement enabling the root principal

Frequently Asked Questions

Why does the default KMS key policy give access to the root principal?: The default key policy grants kms:* to the root principal (arn:aws:iam::ACCOUNT:root) not to give the root user direct access, but to enable IAM policies in the account to control key access. Without this statement, no IAM policy — including those attached to administrators — can grant KMS permissions, and only the key policy itself controls access. Removing this statement risks permanently locking everyone out of the key if the key policy does not include other explicit grants.
What is the difference between a key policy and a KMS grant?: Key policies are JSON documents attached directly to the key, like resource-based policies on S3 buckets. Grants are programmatic, temporary access tokens that allow a principal to use a key for specific operations. AWS services use grants extensively — when you create an encrypted EBS volume, EBS creates a grant on the KMS key so it can decrypt the volume key. Grants can be revoked instantly and do not require modifying the key policy, making them ideal for transient access.

Related Learning Guides

AWS IAM Best Practices25 min read

Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.