AWS Security ChangesHomeSearch

AWS kms documentation change

Service: kms · 2025-08-28 · Documentation low

File: kms/latest/developerguide/key-policy-default.md

Summary

Clarified wording about account principal permissions in key policies.

Security assessment

Minor editorial improvement without security implications.

Diff

diff --git a/kms/latest/developerguide/key-policy-default.md b/kms/latest/developerguide/key-policy-default.md
index 8aa1bb5c8..3198b9b37 100644
--- a//kms/latest/developerguide/key-policy-default.md
+++ b//kms/latest/developerguide/key-policy-default.md
@@ -84 +84 @@ For example, suppose you create a key policy that gives only one user access to
-The key policy statement shown above gives permission to control the key to the [account principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-accounts), which represents the AWS account and its administrators, including the [account root user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html). The account root user is the only principal that cannot be deleted unless you delete the AWS account. IAM best practices discourage acting on behalf of the account root user, except in an emergency. However, you might need to act as the account root user if you delete all other users and roles with access to the KMS key. 
+The key policy statement shown above gives the [account principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-accounts) permission to control the key. The account principal represents the AWS account and its administrators, including the [account root user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html). The account root user is the only principal that cannot be deleted unless you delete the AWS account. IAM best practices discourage acting on behalf of the account root user, except in an emergency. However, you might need to act as the account root user if you delete all other users and roles with access to the KMS key.