Check for any disabled Amazon Key Management Service (KMS) keys available within your AWS account and remove them in order to lower the cost of your monthly bill.
Each custom KMS Customer Master Key (CMK) that you create within your AWS account, regardless of whether is enabled (active) or disabled (inactive), costs $1/month until you delete it. As the disabled keys are not in use anymore and are also charged, it is recommended to delete these keys in order to optimize your AWS costs.
Note 1: You are not charged for AWS-managed CMKs (i.e. default encryption keys created on your behalf when you first attempt to encrypt an AWS resource) and CMKs that are scheduled for deletion.
Note 2: Recover your encrypted data - once a KMS CMK is deleted, all data encrypted under that key becomes unrecoverable. AWS KMS service allows a minimum waiting period of 7 days to verify whether your keys are still needed to decrypt the data before these are completely deleted. The deletion can be canceled any time before the waiting period expires.
To determine if you have any disabled AWS KMS keys within your AWS account, perform the following:
Remediation / Resolution
To schedule deletion for any disabled KMS Customer Master Keys available in your AWS account, perform the following:Note: AWS Key Management System (KMS) allows a waiting period between 7 and 30 days before the encryption key is completely deleted and unrecoverable. The deletion can be canceled any time before the waiting period expires.
To cancel any AWS KMS key deletion before the waiting period ends, perform the following:
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
Get started for FREE
You are auditing:
Disabled AWS KMS keys
Risk level: Low