Open In App

Amazon Web Services – Managing Invalid Keys in Key Management System

Last Updated : 28 Mar, 2023
Like Article

In this article, we will look into how to resolve an error indicating that a “customer master key policy statement contains one or more invalid principles”.

When we create identities within AWS Identity and Access Management (IAM). We often give them friendly names like developer, some name or administrator. IAM entities can also be identified with their ARNs. When IAM creates a user group role policy instance profile or server certificate, it assigns to each entity a unique ID that looks like below:


Suppose user1 an IAM user in our company is specified in an AWS Key Management Service key policy and user1 leaves the company. Then a new person also named user1 is hired an IAM user may be created with the same name. In general, when an IAM user or an IAM rule that has access to the KMS key is deleted, KMS replaces the ARN of this entity with its unique ID in the key policy.

This makes sure that this new employee user1 does not inherit the key permissions granted to our previous user. 

To resolve this issue follow the below steps:

Step 1: After logging into the AWS Management Console, navigate to the KMS console. Then select the key

Step 2: Now choose Key policy.

Here we can see the current permissions on the selected key.

Step 3: Navigate to the IAM console and choose the required users and then choose Delete user.

Step 4: Next choose Roles.

Step 5: Select the Role AdminRole.

Step 6: Then choose Delete role. 

Step 7: Navigate back to the KMS console. Note that the ARN of the user user1and admin rule have now been replaced by their unique ids.

Step 8: To resolve the above-mentioned error, review the statements in the key policy and remove any unique IDs while paying attention to trailing commas. Choose Save changes.

So now we’ve demonstrated to you why an invalid principle error occurs in KMS and what to do to resolve this. 

Previous Article
Next Article

Similar Reads

Machine Learing (ML) Services Offered By Amazon Web Services (AWS)
In today's rapidly evolving technologies, harnessing the power of cloud computing has become imperative for businesses striving to stay ahead. Among the many cloud computing platforms, AWS is the most used cloud computing platform. In this guide, I will make sure that you will understand what is AWS and why cloud computing services are important to
10 min read
Amazon Web Services - Using Single SSH Key For all AWS Regions
Secure Shell also known as SSH is a cryptographic network protocol that helps secure network services over an unsecured network. It securely helps users to log in to a server with SSH than using a password alone. SSH keys are nearly impossible to decipher by brute force alone unlike passwords. In this article, we are going to look into how users ca
2 min read
Amazon Web Services - Changing the Elastic Block Store Encryption Key
In this article, we will look into the process of changing the encryption key used by an Amazon Elastic Block Store(EBS) volume. Before we begin, it is important to note that the encryption key for EBS volumes cannot be changed once generated. But there is a workaround for it. In this article, we will be discussing the same. To do so follow the bel
2 min read
Amazon Web Services - Key IOT Products
This article is intended to give you a brief overview of the key IoT products provided by Amazon Web Services(AWS). There are 3 key categories of IoT products on AWS namely: Devices Software: It includes services such as the FreeRTOS and AWS IoT Greengrass, etc.Connectivity & Control Services: It includes services like AWS IoT Core, AWS IoT Dev
5 min read
Identity and Access Management (IAM) in Amazon Web Services (AWS)
Pre-requisite: AWS Identity and Access Management (IAM) manages Amazon Web Services (AWS) users and their access to AWS accounts and services. It controls the level of access a user can have over an AWS account & set users, grant permission, and allows a user to use different features of an AWS account. Identity and access management is mainly
5 min read
Amazon Web Services - Copy an Amazon Redshift Cluster to Different AWS Account
In this article, we will look into how to copy an Amazon Redshift cluster from one account to a different account. Usually, users perform this operation from a production account to a quality account but you can use the steps to move a cluster from one account to another account in the same region. To do so follow the below steps: Step 1: In the ac
3 min read
Amazon Web Services - Configuring Amazon S3 Event Notifications
The Amazon S3 notification feature enables you to receive notifications when a certain event occurs inside your bucket. To get notifications, first, add a notification configuration that reads the event you want Amazon S3 to publish and the destinations where Amazon S3 will send the notifications. This configuration is stored in the notification su
5 min read
Amazon Web Services - Amazon S3 Notifications to SNS
In this article, we will see how the Amazon S3 bucket publishes notifications to SNS topics on object creation events. An object that creates an event is of four types. They are Put, Post, Copy, Multipart Upload, Remove, Replicate and Restore. Thus, whenever any of the event occur in our S3 bucket, it will publish a notification to a topic and the
3 min read
Amazon Web Services - Introduction to Amazon CloudWatch Synthetics
In this article, we will get an introduction to Amazon Cloudwatch Synthetics. With this feature, you can create different kinds of Canaries to continually verify your user experience even when you don't have traffic, monitor and test for unusual behavior, and trace issues to their source for faster resolution. Let's start by navigating to CloudWatc
3 min read
Amazon Web Services - Resolving Server Authorization Error in Amazon EKS API Server
In this article, we will look into how users who get the error you must be logged in to the server unauthorized when connecting to an Amazon Elastic Kubernetes Service API server. Here we have an Amazon EKS cluster that was created by a user initially. Only the creator of the Amazon EKS cluster has system masters permission to access and communicat
3 min read