Check for any disabled KMS Customer Master Keys in your AWS account and remove them in order to lower the cost of your monthly AWS bill.
This rule can help you with the following compliance standards:
- NIST 800-53 (Rev. 4)
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
As of April 2016, each Customer Master Key that you create in AWS KMS costs $1 / month, regardless whether is being used or not. Since the KMS disabled keys are also charged, it is recommended to delete these keys in order to avoid any unexpected charges on your bill.
Note: Recover your encrypted data - once a CMK is deleted, all data encrypted under that key becomes unrecoverable. AWS KMS service allows a minimum waiting period of 7 days to verify whether your keys are still needed to decrypt the data before these are completely deleted. The deletion can be canceled any time before the waiting period expires.
To determine if you have any customer master keys (CMK) disabled in your AWS account, perform the following:
Remediation / Resolution
AWS Key Management System allows a waiting period between 7 and 30 days before the key is completely deleted and unrecoverable. The deletion can be canceled any time before the waiting period expires.To schedule deletion for any disabled customer master keys in your AWS account, perform the following:
To cancel any key deletion before the waiting period ends, perform the following
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Unused Customer Master Key
Risk level: Low