The author, an AWS consultant, details a migration experience from IAM Users to SSO, revealing a significant oversight that led to access issues with KMS keys. After completing the migration and deleting IAM users, the author attempted to upgrade their infrastructure using a new Terraform module. An error occurred during the Terraform apply process, indicating that the SSO account lacked permission to modify a KMS key alias, which had been created under the deleted IAM user. This oversight stemmed from the author’s failure to update KMS key policies before deleting those users. Initially, the author thought they could work around the problem by removing the KMS key from the Terraform state and allowing it to create a new one. However, subsequent changes revealed that Terraform was unable to update the EKS cluster’s KMS key association, as AWS doesn’t allow changes to the encryption key after cluster creation. When faced with this issue, the author sought recovery access using the root login but found that even those permissions weren’t sufficient to modify the KMS policy. The solution involved contacting AWS Support, which required creating IAM users for each affected KMS key to regain access. Following a set of instructions from AWS Support, the author successfully navigated the recovery process. The AWS team granted the necessary permissions to the KMS key without disrupting existing policies. Ultimately, this experience prompted a critical addition to the author’s migration checklist: updating KMS key policies before removing IAM users. The story underscores the importance of thorough planning and attention to detail in cloud migrations, especially regarding access management and permissions.