This stemmed from our conversation with our Cybersecurity Team asking us to prove how we are restricting access to KMS while using CoSign. Situation: From out understanding, at the moment, if users at the project level decided to write their own signing step to access our account level delegates, they could grab our KMS private key and verify and sign artifacts/evidence. This is not only for KMS but for other features in AWS like AWS Secret. At the moment, there is nothing preventing users at the project level from using our account level delegates to grab our AWS account level services.