Logo of Trend Micro

Unused Customer Master Key

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Low (generally tolerable level of risk)
Rule ID: KMS-003

Check for any disabled KMS Customer Master Keys in your AWS account and remove them in order to lower the cost of your monthly AWS bill.

This rule can help you with the following compliance standards:

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Cost
optimisation

As of April 2016, each Customer Master Key that you create in AWS KMS costs $1 / month, regardless whether is being used or not. Since the KMS disabled keys are also charged, it is recommended to delete these keys in order to avoid any unexpected charges on your bill.

Note: Recover your encrypted data - once a CMK is deleted, all data encrypted under that key becomes unrecoverable. AWS KMS service allows a minimum waiting period of 7 days to verify whether your keys are still needed to decrypt the data before these are completely deleted. The deletion can be canceled any time before the waiting period expires.

Audit

To determine if you have any customer master keys (CMK) disabled in your AWS account, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to KMS dashboard at https://console.aws.amazon.com/kms/.

03 In the left navigation panel, click Encryption Keys.

04 Select the appropriate AWS region from the Filter menu:

Select the appropriate AWS region from the Filter menu

05 And check for any disabled customer master keys under the Status column:

check for any disabled customer master keys under the Status column

Using AWS CLI

01 Run list-keys command (OSX/Linux/UNIX) to list all customer master keys available in the current AWS region: 

aws kms list-keys

02 The command output should return the ARN (Amazon Resource Name) and the ID for each CMK created in your current AWS region: 

{
    "Keys": [
        {
            "KeyArn": "arn:aws:kms:us-west-2:123456789012:
                       key/3a7df780-f05e-4477-aecf-5624f6be1b0c",
            "KeyId": "3a7df780-f05e-4477-aecf-5624f6be1b0c"
        },

		...

        {
            "KeyArn": "arn:aws:kms:us-west-2:123456789012:
                       key/8e1a0a1b-fa71-4077-8fde-e4cab5f1458c",
            "KeyId": "8e1a0a1b-fa71-4077-8fde-e4cab5f1458c"
        }
    ]
}

03 Run describe-key command (OSX/Linux/UNIX) for each CMK in order to identify any disabled keys available in the current AWS region: 

aws kms describe-key
	--key-id 8e1a0a1b-fa71-4077-8fde-e4cab5f1458c

04 The command output should expose any disabled CMK created in your current AWS region (true for enabled, false for disabled): 

{
    "KeyMetadata": {
        "KeyId": "8e1a0a1b-fa71-4077-8fde-e4cab5f1458c",
        "Description": "CMK used for EBS volumes encryption",
        "Enabled": false,
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "Disabled",
        "CreationDate": 1459931027.952,
        "Arn": "arn:aws:kms:us-west-2:123456789012:
                key/8e1a0a1b-fa71-4077-8fde-e4cab5f1458c",
        "AWSAccountId": "123456789012"
    }
}

Remediation / Resolution

AWS Key Management System allows a waiting period between 7 and 30 days before the key is completely deleted and unrecoverable. The deletion can be canceled any time before the waiting period expires.

To schedule deletion for any disabled customer master keys in your AWS account, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to KMS dashboard at https://console.aws.amazon.com/kms/.

03 In the left navigation panel, click Encryption Keys.

04 Select the appropriate AWS region from the Filter menu:

Select the appropriate AWS region from the Filter menu

05 And check for any disabled customer master keys under the Status column:

check for any disabled customer master keys under the Status column

06 Select the disabled key:

Select the disabled key

07 Click on the Key Actions dropdown menu and select Schedule key deletion:

Click on the Key Actions dropdown menu and select Schedule key deletion

08 In the Schedule key deletion dialog box, under Waiting period (in days) section, enter a value between 7 and 30 (days) and click Schedule deletion:

Waiting period (in days) section, enter a value between 7 and 30 (days) and click Schedule deletion

09 The selected key status should change into Pending Deletion:

The selected key status should change into Pending Deletion

Using AWS CLI

01 Run list-keys command (OSX/Linux/UNIX) to list all customer master keys available in the current AWS region: 

aws kms list-keys

02 The command output should return the ARN (Amazon Resource Name) and the ID for each CMK created in your current AWS region: 

{
    "Keys": [
        {
            "KeyArn": "arn:aws:kms:us-west-2:123456789012:
                       key/3a7df780-f05e-4477-aecf-5624f6be1b0c",
            "KeyId": "3a7df780-f05e-4477-aecf-5624f6be1b0c"
        },

		...

        {
            "KeyArn": "arn:aws:kms:us-west-2:123456789012:
                       key/8e1a0a1b-fa71-4077-8fde-e4cab5f1458c",
            "KeyId": "8e1a0a1b-fa71-4077-8fde-e4cab5f1458c"
        }
    ]
}

03 Run describe-key command (OSX/Linux/UNIX) for each CMK in order to identify any disabled keys available in the current AWS region: 

aws kms describe-key
	--key-id 8e1a0a1b-fa71-4077-8fde-e4cab5f1458c

04 The command output should expose any disabled CMK created in your current AWS region (true for enabled, false for disabled): 

{
    "KeyMetadata": {
        "KeyId": "8e1a0a1b-fa71-4077-8fde-e4cab5f1458c",
        "Description": "CMK used for EBS volumes encryption",
        "Enabled": false,
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "Disabled",
        "CreationDate": 1459931027.952,
        "Arn": "arn:aws:kms:us-west-2:123456789012:
                key/8e1a0a1b-fa71-4077-8fde-e4cab5f1458c",
        "AWSAccountId": "123456789012"
    }
}

05 Run schedule-key-deletion command (OSX/Linux/UNIX) to schedule deletion for any disabled keys available in the current AWS region. The following example sets 7 days for the key pending deletion time: 

aws kms schedule-key-deletion
	--key-id 8e1a0a1b-fa71-4077-8fde-e4cab5f1458c
	--pending-window-in-days 7

06 The command output should return a positive value for the DeletionDate key property: 

{
    "KeyId": "arn:aws:kms:us-west-2:123456789012:
              key/8e1a0a1b-fa71-4077-8fde-e4cab5f1458c",
    "DeletionDate": 1460592000.0
}

To cancel any key deletion before the waiting period ends, perform the following

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to KMS dashboard at https://console.aws.amazon.com/kms/.

03 In the left navigation panel, click Encryption Keys.

04 Select the appropriate AWS region from the Filter menu:

Select the appropriate AWS region from the Filter menu

05 Under the Status column, check for any customer master key with Pending Deletion status:

The selected key status should change into Pending Deletion

06 Select the key that you want to recover.

07 Click on the Key Actions dropdown menu and select Cancel key deletion:

Click on the Key Actions dropdown menu and select Cancel key deletion

08 The selected key status should change back to Disabled.

Using AWS CLI

01 Run cancel-key-deletion command (OSX/Linux/UNIX) to cancel any key deletion via AWS CLI as shown in the following example:

aws kms cancel-key-deletion
	--key-id 8e1a0a1b-fa71-4077-8fde-e4cab5f1458c

02 The command output should return the customer master key ARN (Amazon Resource Name):

{
    "KeyId": "arn:aws:kms:us-west-2:123456789012:
              key/8e1a0a1b-fa71-4077-8fde-e4cab5f1458c"
}

References

Publication date Apr 7, 2016

Related KMS rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Unused Customer Master Key

Risk level: Low