Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Unused Customer Master Key

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: KMS-003

Identify and remove any disabled Amazon KMS Customer Master Keys (CMKs) from your AWS cloud account in order to lower the cost of your AWS bill.

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Cost
optimisation
Sustainability

Each Customer Master Keys (CMK) that you create with Amazon KMS costs $1 / month until you delete it, regardless of whether it is being used or not or where the underlying key material was generated. Because the disabled CMKs are also charged, it is recommended to delete the unused keys in order to avoid any unexpected charges on your AWS bill.

Note: Recover your encrypted data: once a Customer Master Key is deleted, all data encrypted under that key becomes unrecoverable. Amazon KMS service allows a minimum waiting period of 7 days to verify whether your keys are still needed to decrypt the data before these are completely deleted. The deletion can be canceled any time before the waiting period expires.

Audit

To determine if there are any disabled (unused) Customer Master Keys (CMKs) available within your AWS cloud account, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon KMS console at https://console.aws.amazon.com/kms/.

03 In the navigation panel, under Key Management Service (KMS), choose Customer managed keys.

04 Click on the name (alias) of the customer-provided Customer Master Key (CMK) that you want to examine.

05 In the General configuration section, check the Status attribute value to determine the current state of the selected key. If the Status attribute value is set to Disabled, the selected Amazon KMS Customer Master Key (CMK) is disabled, therefore the key is considered unused.

06 Repeat steps no. 4 and 5 for each Customer Master Key available within the current AWS region.

07 Change the AWS cloud region from the navigation bar to perform the Audit process for other regions.

Using AWS CLI

01 Run list-keys command (OSX/Linux/UNIX) with custom query filters to list the ID of each Amazon KMS Customer Master Key (CMK) available in the selected AWS region: 

aws kms list-keys
  --region us-east-1
  --output table
  --query 'Keys[*].KeyId'

02 The command output should return a table with the requested CMK ID(s): 

------------------------------------------
|                ListKeys                |
+----------------------------------------+
|  aaaabbbb-aaaa-bbbb-cccc-123456789012  |
|  bbbbcccc-bbbb-cccc-dddd-123456789012  |
|  aaaadddd-cccc-dddd-aaaa-123456789012  |
|  ddddaaaa-bbbb-cccc-dddd-123456789012  |
+----------------------------------------+

03 Run describe-key command (OSX/Linux/UNIX) using the ID of the Customer Master Key (CMK) that you want to examine as the identifier parameter and custom query filters to describe the current state of the selected KMS key: 

aws kms describe-key
  --region us-east-1
  --key-id aaaabbbb-aaaa-bbbb-cccc-123456789012
  --query 'KeyMetadata.KeyState'

04 The command output should return the state of the selected KMS key: 

"Disabled"

If the describe-key command output returns "Disabled", as shown in the example above, the selected Amazon KMS Customer Master Key (CMK) is disabled, therefore the key is considered unused.

05 Repeat steps no. 3 and 4 for each Customer Master Key available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

Amazon Key Management Service (KMS) allows a waiting period between 7 and 30 days before a Customer Master Key (CMK) is completely deleted and unrecoverable. The deletion can be canceled any time before the waiting period expires. To schedule deletion for any unused (disabled) Customer Master Key available in your AWS cloud account, perform the following operations:

Using Terraform (AWS Provider)

01 To schedule deletion for your unused KMS Customer Master Key (CMK), run the following Terraform command, using the Terraform identifier of the key that you want to delete as the --target parameter: 

terraform destroy --target aws_kms_key.kms-cmk-key

02 Type yes and press Enter to confirm the key deletion: 

│ Warning: Resource targeting is in effect
│ You are creating a plan with the -target option, which means that the result of this plan may not represent all of the changes requested by the current configuration.
│ The -target option is not for routine use, and is provided only for exceptional situations such as recovering from errors or mistakes, or when Terraform specifically suggests to use it as part of an error message.
│

Do you really want to destroy all resources?
Terraform will destroy all your managed infrastructure, as shown above.
There is no undo. Only 'yes' will be accepted to confirm.

  Enter a value: yes

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon KMS console at https://console.aws.amazon.com/kms/.

03 In the navigation panel, under Key Management Service (KMS), choose Customer managed keys.

04 Select the unused (disabled) Customer Master Key (CMK) that you want to delete, choose Key actions, and select Schedule key deletion.

05 On the Schedule key deletion page, perform the following actions:

  1. Enter a waiting time period between 7 and 30 days in the Waiting period (in days) configuration box.
  2. Select the Confirm that you want to schedule these keys for deletion after a 30 day waiting period checkbox to confirm your action.
  3. Choose Schedule deletion to schedule the key for deletion.

06 Repeat steps no. 4 and 5 for each unused Customer Master Key available within the current AWS region.

07 Change the AWS cloud region from the navigation bar to perform the Remediation process for other regions.

Using AWS CLI

01 Run schedule-key-deletion command (OSX/Linux/UNIX) using the ID of the unused (disabled) Customer Master Key (CMK) that you want to delete as the identifier parameter, to schedule the selected key for deletion. The following command request example sets 7 days for the key pending deletion time: 

aws kms schedule-key-deletion
  --region us-east-1
  --key-id aaaabbbb-aaaa-bbbb-cccc-123456789012
  --pending-window-in-days 7

02 The output should return the schedule-key-deletion command request metadata: 

{
  "KeyId": "arn:aws:kms:us-east-1:123456789012:key/aaaabbbb-aaaa-bbbb-cccc-123456789012",
  "DeletionDate": 1625294355.752
}

03 Repeat steps no. 1 and 2 for each unused Customer Master Key available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

(Optional) To cancel a Customer Master Key (CMK) deletion before the waiting period ends, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon KMS console at https://console.aws.amazon.com/kms/.

03 In the navigation panel, under Key Management Service (KMS), choose Customer managed keys.

04 Select the Customer Master Key (CMK) scheduled for deletion, choose Key actions, and select Cancel key deletion. The status of the selected CMK should change from Pending deletion to Disabled.

05 Repeat step no. 4 for each Customer Master Key scheduled for deletion, that you want to recover, available within the current AWS region.

06 Change the AWS cloud region from the navigation bar to perform the Remediation process for other regions.

Using AWS CLI

01 Run cancel-key-deletion command (OSX/Linux/UNIX) to cancel the deletion of the Customer Master Key (CMK) that you want to recover, specified by the --key-id command parameter: 

aws kms cancel-key-deletion
  --region us-east-1
  --key-id aaaabbbb-aaaa-bbbb-cccc-123456789012

02 The output should return the Amazon Resource Name (ARN) of the selected KMS key: 

{
  "KeyId": "arn:aws:kms:us-east-1:981005872766:key/aaaabbbb-aaaa-bbbb-cccc-123456789012"
}

03 Repeat steps no. 1 and 2 for each Customer Master Key scheduled for deletion, that you want to recover, available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Apr 7, 2016

Related KMS rules