Check for any disabled KMS Customer Master Keys in your AWS account and remove them in order to lower the cost of your monthly AWS bill.
This rule can help you with the following compliance standards:
- APRA
- MAS
- NIST 800-53 (Rev. 4)
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
optimisation
As of April 2016, each Customer Master Key that you create in AWS KMS costs $1 / month, regardless whether is being used or not. Since the KMS disabled keys are also charged, it is recommended to delete these keys in order to avoid any unexpected charges on your bill.
Note: Recover your encrypted data - once a CMK is deleted, all data encrypted under that key becomes unrecoverable. AWS KMS service allows a minimum waiting period of 7 days to verify whether your keys are still needed to decrypt the data before these are completely deleted. The deletion can be canceled any time before the waiting period expires.
Audit
To determine if you have any customer master keys (CMK) disabled in your AWS account, perform the following:
Remediation / Resolution
AWS Key Management System allows a waiting period between 7 and 30 days before the key is completely deleted and unrecoverable. The deletion can be canceled any time before the waiting period expires.
To schedule deletion for any disabled customer master keys in your AWS account, perform the following:To cancel any key deletion before the waiting period ends, perform the following
References
- AWS Documentation
- What is AWS Key Management Service?
- AWS Key Management Service Concepts
- Deleting Customer Master Keys
- AWS Command Line Interface (CLI) Documentation
- kms
- list-keys
- describe-key
- schedule-key-deletion
- cancel-key-deletion
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
Unused Customer Master Key
Risk level: Low