Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Disabled AWS KMS keys

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)

Check for any disabled Amazon Key Management Service (KMS) keys available within your AWS account and remove them in order to lower the cost of your monthly bill.

Cost
optimisation

Each custom KMS Customer Master Key (CMK) that you create within your AWS account, regardless of whether is enabled (active) or disabled (inactive), costs $1/month until you delete it. As the disabled keys are not in use anymore and are also charged, it is recommended to delete these keys in order to optimize your AWS costs.

Note 1: You are not charged for AWS-managed CMKs (i.e. default encryption keys created on your behalf when you first attempt to encrypt an AWS resource) and CMKs that are scheduled for deletion.

Note 2: Recover your encrypted data - once a KMS CMK is deleted, all data encrypted under that key becomes unrecoverable. AWS KMS service allows a minimum waiting period of 7 days to verify whether your keys are still needed to decrypt the data before these are completely deleted. The deletion can be canceled any time before the waiting period expires.

Audit

To determine if you have any disabled AWS KMS keys within your AWS account, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to KMS dashboard at https://console.aws.amazon.com/kms/.

03 In the left navigation panel, click Encryption Keys.

04 Select the appropriate AWS region from the Region dropdown menu:

Region Dropdown

05 In the Status column, check for any KMS Customer Master Keys (CMKs) that have the status set to Disabled. See Remediation/Resolution section to remove any AWS KMS CMKs that are currently disabled (inactive).

06 Change the AWS region from the Region dropdown menu and repeat the entire audit process for other regions.

Using AWS CLI

01 Run list-keys command (OSX/Linux/UNIX) using custom query filters to list the IDs of all KMS Customer Master Keys available within the selected AWS region: 

aws kms list-keys
	--region us-east-1
	--query 'Keys[*].KeyId'

02 The command output should return an array with the requested key IDs: 

[
	"12345678-149d-44fa-b788-aaabbbcccddd",
	...
	"12345678-4983-44d7-8643-aaabbbcccddd"
]

03 Run describe-key command (OSX/Linux/UNIX) using the ID of the KMS key returned at the previous step and custom query filters to display the status for the selected encryption key: 

aws kms describe-key
	--region us-east-1
	--key-id 12345678-149d-44fa-b788-aaabbbcccddd
	--query 'KeyMetadata.KeyState'

04 The command output should return the AWS KMS key current status ("Enabled" for active, "Disabled" for inactive): 

"Disabled"

If the command output returned is "Disabled", the selected AWS KMS encryption key is currently disabled (inactive).

05 Change the AWS region by updating the --region command parameter value and repeat the audit process for other regions.

Remediation / Resolution

To schedule deletion for any disabled KMS Customer Master Keys available in your AWS account, perform the following:

Note: AWS Key Management System (KMS) allows a waiting period between 7 and 30 days before the encryption key is completely deleted and unrecoverable. The deletion can be canceled any time before the waiting period expires.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to KMS dashboard at https://console.aws.amazon.com/kms/.

03 In the left navigation panel, click Encryption Keys.

04 Choose the necessary AWS region from the Region dropdown menu:

Region Dropdown

05 Select the disabled AWS KMS key that you want to remove (see Audit section part I to identify the right resource).

06 Click on the Key Actions dropdown button from the dashboard top menu and select Schedule key deletion option.

07 Within Schedule key deletion dialog box, inside Waiting period (in days) box, enter a number between 7 and 30 (days), then click Schedule deletion button to schedule the selected key for deletion. The key status should change now into Pending Deletion.

08 Repeat step no. 5 – 7 to remove other disabled AWS KMS keys provisioned in the current region.

09 Change the AWS region from the Region dropdown menu and repeat the process for other regions.

Using AWS CLI

01 Run schedule-key-deletion command (OSX/Linux/UNIX) to schedule the deletion of the disabled AWS CMKs available within the selected region. The following command example sets 7 days for the waiting period, before deletion occurs (if you don’t provide a waiting period, the default period of 30 days is used): 

aws kms schedule-key-deletion
	--region us-east-1
	--key-id 12345678-149d-44fa-b788-aaabbbcccddd
	--pending-window-in-days 7

02 The command output should return the necessary metadata (i.e. the KMS key ID and the deletion date set in Unix format), e.g.: 

{
    "KeyId": "arn:aws:kms:us-east-1:123456789012:key/12345678-149d-44fa-b788-aaabbbcccddd",
    "DeletionDate": 1505520000.0
}

03 Repeat step no. 1 and 2 to schedule for deletion other disabled (inactive) AWS KMS keys provisioned in the current region.

04 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

To cancel any AWS KMS key deletion before the waiting period ends, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to KMS dashboard at https://console.aws.amazon.com/kms/.

03 In the left navigation panel, click Encryption Keys.

04 Choose the necessary AWS region from the Region dropdown menu:

Region Dropdown

05 Select the encryption key that you want to recover, with the status set to Pending Deletion.

06 Click on the Key Actions dropdown button from the dashboard top menu and select Cancel key deletion option. The selected key status should change back to Disabled.

07 Repeat step no. 5 and 6 to recover other scheduled AWS KMS keys available in the current region.

08 Change the AWS region from the Region dropdown menu and repeat the process for other regions.

Using AWS CLI

01 Run cancel-key-deletion command (OSX/Linux/UNIX) using the ID of the scheduled key to cancel the AWS KMS key deletion process (i.e. to recover the KMS key scheduled for deletion): 

aws kms cancel-key-deletion
	--region us-east-1
	--key-id 12345678-149d-44fa-b788-aaabbbcccddd

02 The command output should return the key ARN (Amazon Resource Name): 

{
    "KeyId": "arn:aws:kms:us-east-1:123456789012:key/12345678-149d-44fa-b788-aaabbbcccddd"
}

03 Repeat step no. 1 and 2 to recover other AWS KMS keys scheduled for deletion, available in the current region.

04 Change the AWS region by updating the --region command parameter value and repeat the process for other regions.

References

Publication date Sep 26, 2017

Related KMS rules