KMS policies are funky as hell:
KMS key access is almost like cross-account policies but with some differences. KMS keys must have a policy that either:
- Explicitly grants an IAM Principal access
- Permits the AWS account in question the ability to delegate access to the key
- Cross-account access works like any other: you need permissions on the resource and the IAM principal.
- Same account access needs the first and/or second bullet -- this is unlike other resources, which by default, delegates IAM access to it.
The root principal ARN means that IAM in the account has permissions to delegate permissions to Roles/Managed Policies/etc. in the account. It does not grant access to all principals in the account.