Sitemap
Open in app

Sign in

Medium Logo
Write

Sign in

Recover an “orphaned” KMS key

Ben Riou
3 min readFeb 1, 2025

We recently had a rather painful experience recovering access to an “orphaned” KMS key, where the only owner specified in the KMS policy had been deleted.

When a such experience happens, the KMS key stays on the AWS account, but you cannot manage it anymore. You cannot describe it, you cannot edit it.

Attempting to recover access via the root account

Usually, when you’ve lock yourself out from a S3 bucket (editing it’s ressource-based policy), you connect via the IAM root account, this enables you the ability to remove or edit the attached bucket policy.

AWS recently introduced “temporary root accounts” allowing disposable, scope-limited root accounts for such cases.

… Nice try, but not for a KMS key

The KMS key remains only accessible to the only user explicitely defined on it’s policy, you cannot regain access via the root account access neither.

Contact the Support to the rescue

Hopefully, when apparently inextricable situations happen, the AWS Support is always there to assist.

So we raised a case to the support, that provided us the procedure.

The only way to recover that KMS key was to :

  • Make sure your account phone number is up to date.
  • Create a dedicated IAM User named : key_recovery_${KMS_ID_Key} with an IAM policy attached allowing to access the orphan key
  • Raise a case with the root account to the AWS support
  • Receive an security 6-digit passcode from the AWS support (in the case)
  • Wait (usually 24 hours) to receive a phone-call (on your account phone number) from the AWS Security Team, enquiring for the 6-digit pass code (you need to tell them by phone)
  • The AWS Security Team provides the green go to the AWS Support
  • The AWS Support edits the KMS Policy to allow the recently-created IAM User kms_recovery_${KMS_ID_Key} to manage the key.

AWS takes very seriously any tempering attempt on KMS policies, and the whole thing took us about 4 days to complete.

There is no safeguard preventing the deletion of an IAM User that is the sole entity capable of managing a specific KMS key, so stay cautious!

--

--

Ben Riou
Ben Riou

Written by Ben Riou

127 followers
74 following

Ben is a Senior Devops in Doctrine’s infrastructure team. In his free time, he enjoys hiking the scenic trails of Île-de-France, especially the GR1 route.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech