diff --git a/pentesting-cloud/aws-security/aws-services/aws-kms-enum.md b/pentesting-cloud/aws-security/aws-services/aws-kms-enum.md
index 7cdafae765..01ac8dab0d 100644
--- a/pentesting-cloud/aws-security/aws-services/aws-kms-enum.md
+++ b/pentesting-cloud/aws-security/aws-services/aws-kms-enum.md
@@ -42,9 +42,9 @@ These defines **who can use and access a key in KMS**.
 
 By **default:**
 
-*   It gives the **AWS account that owns the KMS key full access** to the KMS key.
+*   It gives the **IAM of the** **AWS account that owns the KMS key access** to manage the access to the KMS key via IAM.
 
-    Unlike other AWS resource policies, a AWS **KMS key policy does not automatically give permission to the account or any of its users**. To give permission to account administrators, the **key policy must include an explicit statement** that provides this permission, like this one.
+    Unlike other AWS resource policies, a AWS **KMS key policy does not automatically give permission any of the principals of the account**. To give permission to account administrators, the **key policy must include an explicit statement** that provides this permission, like this one.
 
     * Without allowing the account(`"AWS": "arn:aws:iam::111122223333:root"`) IAM permissions won't work.
 *   It **allows the account to use IAM policies** to allow access to the KMS key, in addition to the key policy.