Every time a new CMK is created, the root of the account in which the CMK is created will always have full access to the CMK within the key policy. This ensures that you will always be able to have admin access to the CMK because the root account can't be deleted, whereas other users can be.
In addition to this, granting the root account full access also provides another very useful function. It enables you to use IAM policies to grant access to the CMK for both the key administrator and users.
When a policy is created, you will see a section at the beginning of the policy that looks like this:
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::730739171055:root"
},
"Action": "kms:*",
"Resource": "*"...