Recover KMS Customer Master Keys

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features

Home Knowledge Base KMS Recover KMS Customer Master Keys

Last updated: 10 November 2017

Reliability

Risk level: Medium (should be achieved)

Identify any disabled AWS KMS Customer Master Keys (CMK) that have been accidentally or intentionally scheduled for deletion in order to prevent losing any data encrypted with these keys.

This rule resolution is part of the Cloud Conformity Base Auditing Package

When a CMK is deleted, all data encrypted under that key becomes unrecoverable. However, AWS does not remove the key instantly, instead enforce a waiting period between 7 and 30 days to verify whether the key is still needed to decrypt the data and allows you to recover the key by canceling the scheduled delete action.

Audit

To determine if you have any KMS Customer Master Keys (CMK) scheduled for deletion, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, click Encryption Keys.

kms-filter-menu.png

04 Select the appropriate AWS region from the Filter menu:

05 Under Status column:

check for any keys scheduled for deletion. If the current status is Pending Deletion, the key is scheduled for deletion.

06 Repeat step no. 4 and 5 for all AWS regions.

Using AWS CLI

01 Run list-keys command (OSX/Linux/UNIX) to list all Customer Master keys available in the selected AWS region:

aws kms list-keys
	--region us-east-1

02 The command output should return the ARN (Amazon Resource Name) and the ID for each CMK created in your current AWS region:

{
    "Keys": [
        {
            "KeyArn": "arn:aws:kms:us-east-1:123456789012:
                       key/0a865351-7c39-4ef1-a4a3-03280af8ee05",
            "KeyId": "0a865351-7c39-4ef1-a4a3-03280af8ee05"
        },
        {
            "KeyArn": "arn:aws:kms:us-east-1:123456789012:
                       key/265bb9c7-ccfc-4cf1-9686-54866f31d647",
            "KeyId": "265bb9c7-ccfc-4cf1-9686-54866f31d647"
        }
    ]
}

03 Run describe-key command (OSX/Linux/UNIX) using each CMK ID in order to identify any keys scheduled for deletion:

aws kms describe-key
	--key-id 0a865351-7c39-4ef1-a4a3-03280af8ee05

04 The command output should expose the selected CMK metadata. If the KeyState config parameter value is set to PendingDeletion, the key is scheduled for deletion:

{
    "KeyMetadata": {
        "KeyId": "0a865351-7c39-4ef1-a4a3-03280af8ee05",
        "Description": "",
        "DeletionDate": 1461196800.0,
        "Enabled": false,
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "PendingDeletion",
        "CreationDate": 1460543921.053,
        "Arn": "arn:aws:kms:us-east-1:123456789012:
                key/0a865351-7c39-4ef1-a4a3-03280af8ee05",
        "AWSAccountId": "123456789012"
    }
}

Remediation / Resolution

AWS Key Management System allows a waiting period between 7 and 30 days before the key is completely deleted and unrecoverable. The deletion can be canceled any time before the selected waiting period expires. To cancel any KMS CMK scheduled for deletion, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, click Encryption Keys.

04 Select the appropriate AWS region from the Filter menu:

05 Under Status column, check for any keys scheduled for deletion with the current status set to Pending Deletion.

06 Select the key, click the Key Actions button from the dashboard top menu and select Cancel key deletion:

Once the scheduled delete action is canceled, the key status moves from 'Pending Deletion' to 'Disabled'.

07 Repeat step no. 4, 5 and 6 for all AWS regions.

Using AWS CLI

01 Run list-keys command (OSX/Linux/UNIX) to list all Customer Master Keys available in the selected AWS region:

aws kms list-keys
	--region us-east-1

02 The command output should return the ARN (Amazon Resource Name) and the ID for each CMK created in your current AWS region:

{
    "Keys": [
        {
            "KeyArn": "arn:aws:kms:us-east-1:123456789012:
                       key/0a865351-7c39-4ef1-a4a3-03280af8ee05",
            "KeyId": "0a865351-7c39-4ef1-a4a3-03280af8ee05"
        },
        {
            "KeyArn": "arn:aws:kms:us-east-1:123456789012:
                       key/265bb9c7-ccfc-4cf1-9686-54866f31d647",
            "KeyId": "265bb9c7-ccfc-4cf1-9686-54866f31d647"
        }
    ]
}

03 Run describe-key command (OSX/Linux/UNIX) using each CMK ID in order to identify any keys scheduled for deletion available in the current AWS region:

aws kms describe-key
	--key-id 0a865351-7c39-4ef1-a4a3-03280af8ee05

04 The command output should expose the selected CMK metadata. If the KeyState parameter value is set to PendingDeletion, the key is scheduled for deletion:

{
    "KeyMetadata": {
        "KeyId": "0a865351-7c39-4ef1-a4a3-03280af8ee05",
        "Description": "",
        "DeletionDate": 1461196800.0,
        "Enabled": false,
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "PendingDeletion",
        "CreationDate": 1460543921.053,
        "Arn": "arn:aws:kms:us-east-1:123456789012:
                key/0a865351-7c39-4ef1-a4a3-03280af8ee05",
        "AWSAccountId": "123456789012"
    }
}

05 Run cancel-key-deletion command (OSX/Linux/UNIX) to cancel the delete action for the selected Customer Master Key (CMK):

aws kms cancel-key-deletion
	--key-id 0a865351-7c39-4ef1-a4a3-03280af8ee05

06 Run again describe-key command (OSX/Linux/UNIX) to expose the CMK current status. If the operation was successful, the CMK KeyState parameter value moves from 'PendingDeletion' to 'Disabled':

{
    "KeyMetadata": {
        "KeyId": "0a865351-7c39-4ef1-a4a3-03280af8ee05",
        "Description": "",
        "DeletionDate": 1461196800.0,
        "Enabled": false,
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "Disabled",
        "CreationDate": 1460543921.053,
        "Arn": "arn:aws:kms:us-east-1:123456789012:
                key/0a865351-7c39-4ef1-a4a3-03280af8ee05",
        "AWSAccountId": "123456789012"
    }
}

References

AWS Command Line Interface (CLI) Documentation
kms
list-keys
describe-key
cancel-key-deletion

Publication date Apr 15, 2016

Related KMS rules

Recover KMS Customer Master Keys (Reliability)

Cloud Conformity allows you to automate the auditing process of Recover KMS Customer Master Keys. Register for a 14 day evaluation and check your compliance level for free!

Check your compliance

Recover KMS Customer Master Keys

Risk level: Medium (should be achieved)

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Thanks!

A verification email has been sent to

Thanks!

A verification email has been sent to

Thanks!

A verification email has been sent to

Recover KMS Customer Master Keys

Risk level: Medium (should be achieved)

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related KMS rules

Thanks!

A verification email has been sent to

Maintain Exclusive Access

Thanks!

A verification email has been sent to

Unlock the rest of the steps

Thanks!

A verification email has been sent to

Maintain Exclusive Access

Unlock the rest
of the steps