Skip to main content

πŸ›‘οΈ AWS KMS CMK is scheduled for deletion🟒

  • Contextual name: πŸ›‘οΈ CMK is scheduled for deletion🟒
  • ID: /ce/ca/aws/kms/cmk-scheduled-deletion
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY, RELIABILITY

Logic​

Similar Policies​

Description​

Open File

Description​

This policy identifies AWS KMS Customer-Managed Keys (CMKs) that are scheduled for deletion. A KMS key should only be deleted when you are certain it is no longer required. If there is any uncertainty, it is recommended to disable the key instead. You can re-enable a disabled KMS key or cancel its scheduled deletion; however, once a key is deleted, it cannot be recovered.

Rationale​

Deleting an AWS KMS key is a destructive and irreversible operation. It permanently removes the key material and all associated metadata. Once a KMS key is deleted, any data encrypted with that key becomes unrecoverable. This risk is particularly critical for asymmetric KMS keys used for encryption because users can continue encrypting data with the public key even after the private key has been deleted, resulting in ciphertexts that can never be decrypted.

Audit​

This policy flags an AWS KMS Key as INCOMPLIANT if the Deletion Date field is not empty, indicating that the key is scheduled for deletion.

The Key is marked as INAPPLICABLE if the Manager field is not CUSTOMER, as only customer-managed keys can be scheduled for deletion.

Remediation​

Open File

Remediation​

Cancel Key Deletion​

From AWS CLI​

Use the following command to cancel the scheduled deletion of a KMS key:

aws kms cancel-key-deletion \
  --key-id {{key-id}}

This command changes the key status from PendingDeletion to Disabled.

Disable Key​

If you no longer need to use a key but want to retain it for potential future use, disable it instead of deleting it:

aws kms disable-key \
  --key-id {{key-id}}

Disabling a key prevents its use in cryptographic operations until it is re-enabled.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [KMS.3] AWS KMS keys should not be deleted unintentionally1no data
πŸ’Ό AWS Well-Architected β†’ πŸ’Ό SEC08-BP01 Implement secure key management2no data
πŸ’Ό AWS Well-Architected β†’ πŸ’Ό SEC09-BP01 Implement secure key and certificate management2no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Expiration Management14no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-12 Cryptographic Key Establishment and Management (L)(M)(H)1912no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-12 Cryptographic Key Establishment and Management (L)(M)(H)12no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-12 Cryptographic Key Establishment and Management (L)(M)(H)12no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected159no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected135no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-12 Cryptographic Key Establishment and Management6111no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-12(2) Cryptographic Key Establishment and Management _ Symmetric Keys14no data