AWS KMS Keys

AWS Key Management Service (KMS) is a managed service that makes it easy to create and manage cryptographic keys. While essential for data encryption and security, unused or misconfigured KMS keys can lead to unnecessary costs and potential security risks.

The Problem

Organizations often accumulate KMS customer-managed keys that:

• Were created for projects that no longer exist
• Haven't been used for cryptographic operations in months
• Lack automatic key rotation, increasing security risk
• Have rotation periods that exceed security best practices

Each customer-managed KMS key costs $1/month, regardless of usage. While this may seem minimal, organizations with many unused keys can see costs accumulate quickly.

Detection Method

unusd.cloud analyzes your KMS keys to identify potential issues by:

1. CloudTrail API Analysis - Examining cryptographic operations (Encrypt, Decrypt, GenerateDataKey, etc.) in the last 90 days
2. Rotation Configuration - Checking if automatic key rotation is enabled for symmetric keys
3. Rotation Period Review - Identifying keys with rotation periods exceeding 1 year

What We Flag

Keys are flagged when:

• No recent usage - No cryptographic operations detected in the last 90 days
• Rotation disabled - Symmetric keys without automatic rotation enabled
• Long rotation periods - Keys with rotation periods exceeding 365 days

Based on AWS best practices:

• AWS KMS automatic key rotation - Now supports customizable rotation periods (90 days to 7 years)
• Determining past usage of a KMS key

Cost Implications

KMS customer-managed keys have the following pricing:

• $1/month per key - Base cost for each customer-managed key
• $0.03 per 10,000 requests - API usage costs (typically minimal)
• After rotation - Additional $1/month per key version (capped at $3/month after 2 rotations)

Security Considerations

Beyond cost, KMS key management has important security implications:

• Unused keys may indicate orphaned resources or forgotten access patterns
• Keys without rotation increase the risk if key material is ever compromised
• Long rotation periods may not meet compliance requirements (e.g., PCI-DSS recommends annual rotation)

Recommendations

1. Review unused keys - Check CloudTrail logs to verify the key is truly unused before deletion
2. Enable automatic rotation - For symmetric keys, enable rotation with an appropriate period
3. Consider 365-day rotation - AWS recommends annual rotation for most use cases
4. Audit key policies - Verify which principals have access to unused keys

How to Clean Up

Enable Key Rotation

# Enable automatic rotation with default period (365 days)
aws kms enable-key-rotation \
    --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
    --region us-east-1

# Set a custom rotation period (90-2560 days)
aws kms enable-key-rotation \
    --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
    --rotation-period-in-days 180 \
    --region us-east-1

Schedule Key Deletion

KMS keys cannot be immediately deleted - they must be scheduled for deletion (7-30 days):

# Schedule key for deletion in 30 days
aws kms schedule-key-deletion \
    --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
    --pending-window-in-days 30 \
    --region us-east-1

!!! warning "Before Deleting KMS Keys" Before scheduling a key for deletion:

1. **Check CloudTrail** - Verify no external systems use the key
2. **Review encrypted data** - Ensure no data encrypted with this key needs to be decrypted
3. **Check S3 objects** - Objects encrypted with SSE-KMS will become inaccessible
4. **Review EBS volumes** - Encrypted volumes will become unusable

Cancel Scheduled Deletion

If you schedule a key for deletion and realize it's still needed:

aws kms cancel-key-deletion \
    --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
    --region us-east-1

# Re-enable the key after canceling deletion
aws kms enable-key \
    --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
    --region us-east-1

Exception Handling

To exclude a KMS key from detection, add the configured exception tag:

aws kms tag-resource \
    --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
    --tags TagKey=unusd,TagValue=true \
    --region us-east-1

Required Permissions

This feature uses the following IAM permissions (already included in the standard spoke role):

- kms:DescribeKey
- kms:GetKeyRotationStatus
- kms:ListAliases
- kms:ListKeys
- kms:ListResourceTags
- cloudtrail:LookupEvents

Related Resources

• AWS Documentation: Key Rotation
• AWS Documentation: Deleting KMS Keys
• AWS Blog: KMS Automatic Key Rotation Flexibility

Keep on chasing 🧡