In your organization, your DevOps team is in charge of provisioning resources in an AWS account. Tim was a team member and created a Customer Managed Key in KMS several months ago. The default key policy is removed, and the key policy is as below.

Answer options:

A. Contact AWS Support to regain access to the CMK. 
B.Log in as the root user of the AWS account and add another user as the key administrator.
C.Use the IAM admin user to edit the key policy to allow all actions for the principal of arn:aws:iam::111122223333:root. Add other IAM users as key administrators or users if required.
D.Create an IAM policy that allows the action of kms:PutKeyPolicy and attach the policy to an IAM user. Login into AWS console with the user and modify the key policy to the default one. 
 

Correct Answer – A
About the default and recommended key policies in KMS, check the AWS documentation in https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default. The default key policy is as below:
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::111122223333:root"},
"Action": "kms:*",
"Resource": "*"
}
This allows the permissions of the key to be managed by IAM policies.
Option A is CORRECT: Because even the root user cannot manage it. You have to contact AWS Support to restore it.
Option B is incorrect: Because the root user cannot manage the key policy either as the user is not allowed to do that.
Option C is incorrect: Because the key policy cannot be modified by any IAM user anymore.
Option D is incorrect: Because the key policy still denies the action even if the IAM user has an IAM policy to allow it.