Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

KMS Customer Master Key Pending Deletion

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: KMS-004

Identify any disabled AWS KMS Customer Master Keys (CMK) that have been accidentally or intentionally scheduled for deletion in order to prevent losing any data encrypted with these keys.

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Reliability

When a CMK is deleted, all data encrypted under that key becomes unrecoverable. However, AWS does not remove the key instantly, instead enforce a waiting period between 7 and 30 days to verify whether the key is still needed to decrypt the data and allows you to recover the key by canceling the scheduled delete action.

Audit

To determine if you have any KMS Customer Master Keys (CMK) scheduled for deletion, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to KMS dashboard at https://console.aws.amazon.com/kms/.

03 In the left navigation panel, click Encryption Keys.

kms-filter-menu.png

04 Select the appropriate AWS region from the Filter menu:

Select the appropriate AWS region from the Filter menu

05 Under Status column:

If the current status is Pending Deletion, the key is scheduled for deletion

check for any keys scheduled for deletion. If the current status is Pending Deletion, the key is scheduled for deletion.

06 Repeat step no. 4 and 5 for all AWS regions.

Using AWS CLI

01 Run list-keys command (OSX/Linux/UNIX) to list all Customer Master keys available in the selected AWS region: 

aws kms list-keys
	--region us-east-1

02 The command output should return the ARN (Amazon Resource Name) and the ID for each CMK created in your current AWS region: 

{
    "Keys": [
        {
            "KeyArn": "arn:aws:kms:us-east-1:123456789012:
                       key/0a865351-7c39-4ef1-a4a3-03280af8ee05",
            "KeyId": "0a865351-7c39-4ef1-a4a3-03280af8ee05"
        },
        {
            "KeyArn": "arn:aws:kms:us-east-1:123456789012:
                       key/265bb9c7-ccfc-4cf1-9686-54866f31d647",
            "KeyId": "265bb9c7-ccfc-4cf1-9686-54866f31d647"
        }
    ]
}

03 Run describe-key command (OSX/Linux/UNIX) using each CMK ID in order to identify any keys scheduled for deletion: 

aws kms describe-key
	--key-id 0a865351-7c39-4ef1-a4a3-03280af8ee05

04 The command output should expose the selected CMK metadata. If the KeyState config parameter value is set to PendingDeletion, the key is scheduled for deletion: 

{
    "KeyMetadata": {
        "KeyId": "0a865351-7c39-4ef1-a4a3-03280af8ee05",
        "Description": "",
        "DeletionDate": 1461196800.0,
        "Enabled": false,
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "PendingDeletion",
        "CreationDate": 1460543921.053,
        "Arn": "arn:aws:kms:us-east-1:123456789012:
                key/0a865351-7c39-4ef1-a4a3-03280af8ee05",
        "AWSAccountId": "123456789012"
    }
}

Remediation / Resolution

AWS Key Management System allows a waiting period between 7 and 30 days before the key is completely deleted and unrecoverable. The deletion can be canceled any time before the selected waiting period expires. To cancel any KMS CMK scheduled for deletion, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to KMS dashboard at https://console.aws.amazon.com/kms/.

03 In the left navigation panel, click Encryption Keys.

04 Select the appropriate AWS region from the Filter menu:

Select the appropriate AWS region from the Filter menu

05 Under Status column, check for any keys scheduled for deletion with the current status set to Pending Deletion.

06 Select the key, click the Key Actions button from the dashboard top menu and select Cancel key deletion:

Cancel key deletion

Once the scheduled delete action is canceled, the key status moves from 'Pending Deletion' to 'Disabled'.

07 Repeat step no. 4, 5 and 6 for all AWS regions.

Using AWS CLI

01 Run list-keys command (OSX/Linux/UNIX) to list all Customer Master Keys available in the selected AWS region: 

aws kms list-keys
	--region us-east-1

02 The command output should return the ARN (Amazon Resource Name) and the ID for each CMK created in your current AWS region: 

{
    "Keys": [
        {
            "KeyArn": "arn:aws:kms:us-east-1:123456789012:
                       key/0a865351-7c39-4ef1-a4a3-03280af8ee05",
            "KeyId": "0a865351-7c39-4ef1-a4a3-03280af8ee05"
        },
        {
            "KeyArn": "arn:aws:kms:us-east-1:123456789012:
                       key/265bb9c7-ccfc-4cf1-9686-54866f31d647",
            "KeyId": "265bb9c7-ccfc-4cf1-9686-54866f31d647"
        }
    ]
}

03 Run describe-key command (OSX/Linux/UNIX) using each CMK ID in order to identify any keys scheduled for deletion available in the current AWS region: 

aws kms describe-key
	--key-id 0a865351-7c39-4ef1-a4a3-03280af8ee05

04 The command output should expose the selected CMK metadata. If the KeyState parameter value is set to PendingDeletion, the key is scheduled for deletion: 

{
    "KeyMetadata": {
        "KeyId": "0a865351-7c39-4ef1-a4a3-03280af8ee05",
        "Description": "",
        "DeletionDate": 1461196800.0,
        "Enabled": false,
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "PendingDeletion",
        "CreationDate": 1460543921.053,
        "Arn": "arn:aws:kms:us-east-1:123456789012:
                key/0a865351-7c39-4ef1-a4a3-03280af8ee05",
        "AWSAccountId": "123456789012"
    }
}

05 Run cancel-key-deletion command (OSX/Linux/UNIX) to cancel the delete action for the selected Customer Master Key (CMK): 

aws kms cancel-key-deletion
	--key-id 0a865351-7c39-4ef1-a4a3-03280af8ee05

06 Run again describe-key command (OSX/Linux/UNIX) to expose the CMK current status. If the operation was successful, the CMK KeyState parameter value moves from 'PendingDeletion' to 'Disabled': 

{
    "KeyMetadata": {
        "KeyId": "0a865351-7c39-4ef1-a4a3-03280af8ee05",
        "Description": "",
        "DeletionDate": 1461196800.0,
        "Enabled": false,
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "Disabled",
        "CreationDate": 1460543921.053,
        "Arn": "arn:aws:kms:us-east-1:123456789012:
                key/0a865351-7c39-4ef1-a4a3-03280af8ee05",
        "AWSAccountId": "123456789012"
    }
}

References

Publication date Apr 15, 2016

Related KMS rules