Open menu

Recover KMS Customer Master Keys

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Knowledge Base KMS Recover KMS Customer Master Keys
Last updated: 10 November 2017
Reliability

Risk level: Medium (should be achieved)

Identify any disabled AWS KMS Customer Master Keys (CMK) that have been accidentally or intentionally scheduled for deletion in order to prevent losing any data encrypted with these keys.

This rule resolution is part of the Cloud Conformity Tool

When a CMK is deleted, all data encrypted under that key becomes unrecoverable. However, AWS does not remove the key instantly, instead enforce a waiting period between 7 and 30 days to verify whether the key is still needed to decrypt the data and allows you to recover the key by canceling the scheduled delete action.

Audit

To determine if you have any KMS Customer Master Keys (CMK) scheduled for deletion, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, click Encryption Keys.

kms-filter-menu.png

04 Select the appropriate AWS region from the Filter menu:

Select the appropriate AWS region from the Filter menu

05 Under Status column:

If the current status is Pending Deletion, the key is scheduled for deletion

check for any keys scheduled for deletion. If the current status is Pending Deletion, the key is scheduled for deletion.

06 Repeat step no. 4 and 5 for all AWS regions.

Using AWS CLI

01 Run list-keys command (OSX/Linux/UNIX) to list all Customer Master keys available in the selected AWS region: 

aws kms list-keys
	--region us-east-1

02 The command output should return the ARN (Amazon Resource Name) and the ID for each CMK created in your current AWS region: 

{
    "Keys": [
        {
            "KeyArn": "arn:aws:kms:us-east-1:123456789012:
                       key/0a865351-7c39-4ef1-a4a3-03280af8ee05",
            "KeyId": "0a865351-7c39-4ef1-a4a3-03280af8ee05"
        },
        {
            "KeyArn": "arn:aws:kms:us-east-1:123456789012:
                       key/265bb9c7-ccfc-4cf1-9686-54866f31d647",
            "KeyId": "265bb9c7-ccfc-4cf1-9686-54866f31d647"
        }
    ]
}

03 Run describe-key command (OSX/Linux/UNIX) using each CMK ID in order to identify any keys scheduled for deletion: 

aws kms describe-key
	--key-id 0a865351-7c39-4ef1-a4a3-03280af8ee05

04 The command output should expose the selected CMK metadata. If the KeyState config parameter value is set to PendingDeletion, the key is scheduled for deletion: 

{
    "KeyMetadata": {
        "KeyId": "0a865351-7c39-4ef1-a4a3-03280af8ee05",
        "Description": "",
        "DeletionDate": 1461196800.0,
        "Enabled": false,
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "PendingDeletion",
        "CreationDate": 1460543921.053,
        "Arn": "arn:aws:kms:us-east-1:123456789012:
                key/0a865351-7c39-4ef1-a4a3-03280af8ee05",
        "AWSAccountId": "123456789012"
    }
}

Remediation / Resolution

AWS Key Management System allows a waiting period between 7 and 30 days before the key is completely deleted and unrecoverable. The deletion can be canceled any time before the selected waiting period expires. To cancel any KMS CMK scheduled for deletion, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, click Encryption Keys.

04 Select the appropriate AWS region from the Filter menu:

Select the appropriate AWS region from the Filter menu

05 Under Status column, check for any keys scheduled for deletion with the current status set to Pending Deletion.

06 Select the key, click the Key Actions button from the dashboard top menu and select Cancel key deletion:

Cancel key deletion

Once the scheduled delete action is canceled, the key status moves from 'Pending Deletion' to 'Disabled'.

07 Repeat step no. 4, 5 and 6 for all AWS regions.

Using AWS CLI

01 Run list-keys command (OSX/Linux/UNIX) to list all Customer Master Keys available in the selected AWS region: 

aws kms list-keys
	--region us-east-1

02 The command output should return the ARN (Amazon Resource Name) and the ID for each CMK created in your current AWS region: 

{
    "Keys": [
        {
            "KeyArn": "arn:aws:kms:us-east-1:123456789012:
                       key/0a865351-7c39-4ef1-a4a3-03280af8ee05",
            "KeyId": "0a865351-7c39-4ef1-a4a3-03280af8ee05"
        },
        {
            "KeyArn": "arn:aws:kms:us-east-1:123456789012:
                       key/265bb9c7-ccfc-4cf1-9686-54866f31d647",
            "KeyId": "265bb9c7-ccfc-4cf1-9686-54866f31d647"
        }
    ]
}

03 Run describe-key command (OSX/Linux/UNIX) using each CMK ID in order to identify any keys scheduled for deletion available in the current AWS region: 

aws kms describe-key
	--key-id 0a865351-7c39-4ef1-a4a3-03280af8ee05

04 The command output should expose the selected CMK metadata. If the KeyState parameter value is set to PendingDeletion, the key is scheduled for deletion: 

{
    "KeyMetadata": {
        "KeyId": "0a865351-7c39-4ef1-a4a3-03280af8ee05",
        "Description": "",
        "DeletionDate": 1461196800.0,
        "Enabled": false,
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "PendingDeletion",
        "CreationDate": 1460543921.053,
        "Arn": "arn:aws:kms:us-east-1:123456789012:
                key/0a865351-7c39-4ef1-a4a3-03280af8ee05",
        "AWSAccountId": "123456789012"
    }
}

05 Run cancel-key-deletion command (OSX/Linux/UNIX) to cancel the delete action for the selected Customer Master Key (CMK): 

aws kms cancel-key-deletion
	--key-id 0a865351-7c39-4ef1-a4a3-03280af8ee05

06 Run again describe-key command (OSX/Linux/UNIX) to expose the CMK current status. If the operation was successful, the CMK KeyState parameter value moves from 'PendingDeletion' to 'Disabled': 

{
    "KeyMetadata": {
        "KeyId": "0a865351-7c39-4ef1-a4a3-03280af8ee05",
        "Description": "",
        "DeletionDate": 1461196800.0,
        "Enabled": false,
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "Disabled",
        "CreationDate": 1460543921.053,
        "Arn": "arn:aws:kms:us-east-1:123456789012:
                key/0a865351-7c39-4ef1-a4a3-03280af8ee05",
        "AWSAccountId": "123456789012"
    }
}

References

Publication date Apr 15, 2016

Related KMS rules