Overview

An IAM policy that prevents a user from disabling or deleting any CMKs, even when another IAM policy or a key policy allows these permissions.

Configuration Templates

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "kms:DisableKey",
                "kms:ScheduleKeyDeletion"
            ],
            "Resource": "*",
            "Effect": "Deny"
        }
    ]
}

Actions



Customize Policy
No policy variables to customize
* Required field

Sources and Documentation

Configuration Source: AWS Documentation

Additional Documentation: