AWS kms documentation change
Summary
Clarified wording about account principal permissions in key policies.
Security assessment
Minor editorial improvement without security implications.
Diff
diff --git a/kms/latest/developerguide/key-policy-default.md b/kms/latest/developerguide/key-policy-default.md index 8aa1bb5c8..3198b9b37 100644 --- a//kms/latest/developerguide/key-policy-default.md +++ b//kms/latest/developerguide/key-policy-default.md @@ -84 +84 @@ For example, suppose you create a key policy that gives only one user access to -The key policy statement shown above gives permission to control the key to the [account principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-accounts), which represents the AWS account and its administrators, including the [account root user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html). The account root user is the only principal that cannot be deleted unless you delete the AWS account. IAM best practices discourage acting on behalf of the account root user, except in an emergency. However, you might need to act as the account root user if you delete all other users and roles with access to the KMS key. +The key policy statement shown above gives the [account principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-accounts) permission to control the key. The account principal represents the AWS account and its administrators, including the [account root user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html). The account root user is the only principal that cannot be deleted unless you delete the AWS account. IAM best practices discourage acting on behalf of the account root user, except in an emergency. However, you might need to act as the account root user if you delete all other users and roles with access to the KMS key.