Skip to content

AWS KMS Keys

AWS Key Management Service (KMS) provides managed cryptographic keys for data encryption. Unused or misconfigured customer-managed keys can lead to unnecessary costs and security risks.

Implementation Effort: Medium - Estimated time: 1-2 hours. Schedule key deletion (7-30 day mandatory waiting period) after verifying no resources depend on the key for decryption. Enabling rotation is a single API call.

What We Detect

  • Unused keys -- Customer-managed keys with no recent cryptographic operations, likely from decommissioned projects
  • Rotation disabled -- Symmetric keys without automatic key rotation enabled
  • Long rotation periods -- Keys with rotation periods exceeding security best practices

Why It Matters

Each customer-managed KMS key costs $1/month regardless of usage. Beyond cost, unused keys and missing rotation increase security risk -- outdated key material is harder to audit and could be exploited if compromised.

Recommendations

  1. Unused keys -- Verify the key is truly unused, then schedule it for deletion
  2. Enable rotation -- Turn on automatic key rotation for symmetric keys
  3. Review key policies -- Audit which principals have access to unused keys

!!! warning "Before Deleting KMS Keys" KMS key deletion is irreversible after the waiting period. Verify no S3 objects, EBS volumes, or other resources are encrypted with the key before scheduling deletion.

Keep on chasing 🧡