🔥 3-day streak
AWS Certified Security - Specialty84 / 157
Question 84 of 157

A security engineer creates a new customer managed KMS key using the AWS CLI and specifies a custom key policy. The policy grants a specific application role permission to encrypt and decrypt, but omits any statement referencing the account root principal or the IAM administrators. Shortly after, the administrators discover that no one can manage the key — including updating the key policy itself — and they cannot delete or schedule deletion of the key from the console. What is the root cause and the recommended way to prevent this situation in the future?

Reviewed for accuracy · Report an issueNext question