Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

KMS Customer Master Key Pending Deletion

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: KMS-004

Identify any disabled AWS KMS Customer Master Keys (CMK) that have been accidentally or intentionally scheduled for deletion in order to prevent losing any data encrypted with these keys.

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by TrendAI Vision One™ Cloud Risk Management, see here.

Reliability

When a CMK is deleted, all data encrypted under that key becomes unrecoverable. However, AWS does not remove the key instantly, instead enforce a waiting period between 7 and 30 days to verify whether the key is still needed to decrypt the data and allows you to recover the key by canceling the scheduled delete action.

Audit

To determine if you have any KMS Customer Master Keys (CMK) scheduled for deletion, perform the following:

Using AWS Console

  1. Sign in to the AWS Management Console.

  2. Navigate to KMS dashboard at https://console.aws.amazon.com/kms/.

  3. In the left navigation panel, click Encryption Keys.

    kms-filter-menu.png

  4. Select the appropriate AWS region from the Filter menu.

  5. Under Status column, check for any keys scheduled for deletion. If the current status is Pending Deletion, the key is scheduled for deletion.

  6. Repeat step no. 4 and 5 for all AWS regions.

Using AWS CLI

  1. Run list-keys command (OSX/Linux/UNIX) to list all Customer Master keys available in the selected AWS region:

    aws kms list-keys
	--region us-east-1

  2. The command output should return the ARN (Amazon Resource Name) and the ID for each CMK created in your current AWS region:

    {
    "Keys": [
        {
            "KeyArn": "arn:aws:kms:us-east-1:123456789012:
                       key/0a865351-7c39-4ef1-a4a3-03280af8ee05",
            "KeyId": "0a865351-7c39-4ef1-a4a3-03280af8ee05"
        },
        {
            "KeyArn": "arn:aws:kms:us-east-1:123456789012:
                       key/265bb9c7-ccfc-4cf1-9686-54866f31d647",
            "KeyId": "265bb9c7-ccfc-4cf1-9686-54866f31d647"
        }
    ]
}

  3. Run describe-key command (OSX/Linux/UNIX) using each CMK ID in order to identify any keys scheduled for deletion:

    aws kms describe-key
	--key-id 0a865351-7c39-4ef1-a4a3-03280af8ee05

  4. The command output should expose the selected CMK metadata. If the KeyState config parameter value is set to PendingDeletion, the key is scheduled for deletion:

    {
    "KeyMetadata": {
        "KeyId": "0a865351-7c39-4ef1-a4a3-03280af8ee05",
        "Description": "",
        "DeletionDate": 1461196800.0,
        "Enabled": false,
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "PendingDeletion",
        "CreationDate": 1460543921.053,
        "Arn": "arn:aws:kms:us-east-1:123456789012:
                key/0a865351-7c39-4ef1-a4a3-03280af8ee05",
        "AWSAccountId": "123456789012"
    }
}

Remediation / Resolution

AWS Key Management System allows a waiting period between 7 and 30 days before the key is completely deleted and unrecoverable. The deletion can be canceled any time before the selected waiting period expires. To cancel any KMS CMK scheduled for deletion, perform the following:

Using AWS Console

  1. Sign in to the AWS Management Console.

  2. Navigate to KMS dashboard at https://console.aws.amazon.com/kms/.

  3. In the left navigation panel, click Encryption Keys.

  4. Select the appropriate AWS region from the Filter menu.

  5. Under Status column, check for any keys scheduled for deletion with the current status set to Pending Deletion.

  6. Select the key, click the Key Actions button from the dashboard top menu and select Cancel key deletion, once the scheduled delete action is canceled, the key status moves from 'Pending Deletion' to 'Disabled'.

  7. Repeat step no. 4, 5 and 6 for all AWS regions.

Using AWS CLI

  1. Run list-keys command (OSX/Linux/UNIX) to list all Customer Master Keys available in the selected AWS region:

    aws kms list-keys
	--region us-east-1

  2. The command output should return the ARN (Amazon Resource Name) and the ID for each CMK created in your current AWS region:

    {
    "Keys": [
        {
            "KeyArn": "arn:aws:kms:us-east-1:123456789012:
                       key/0a865351-7c39-4ef1-a4a3-03280af8ee05",
            "KeyId": "0a865351-7c39-4ef1-a4a3-03280af8ee05"
        },
        {
            "KeyArn": "arn:aws:kms:us-east-1:123456789012:
                       key/265bb9c7-ccfc-4cf1-9686-54866f31d647",
            "KeyId": "265bb9c7-ccfc-4cf1-9686-54866f31d647"
        }
    ]
}

  3. Run describe-key command (OSX/Linux/UNIX) using each CMK ID in order to identify any keys scheduled for deletion available in the current AWS region:

    aws kms describe-key
	--key-id 0a865351-7c39-4ef1-a4a3-03280af8ee05

  4. The command output should expose the selected CMK metadata. If the KeyState parameter value is set to PendingDeletion, the key is scheduled for deletion:

    {
    "KeyMetadata": {
        "KeyId": "0a865351-7c39-4ef1-a4a3-03280af8ee05",
        "Description": "",
        "DeletionDate": 1461196800.0,
        "Enabled": false,
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "PendingDeletion",
        "CreationDate": 1460543921.053,
        "Arn": "arn:aws:kms:us-east-1:123456789012:
                key/0a865351-7c39-4ef1-a4a3-03280af8ee05",
        "AWSAccountId": "123456789012"
    }
}

  5. Run cancel-key-deletion command (OSX/Linux/UNIX) to cancel the delete action for the selected Customer Master Key (CMK):

    aws kms cancel-key-deletion
	--key-id 0a865351-7c39-4ef1-a4a3-03280af8ee05

  6. Run again describe-key command (OSX/Linux/UNIX) to expose the CMK current status. If the operation was successful, the CMK KeyState parameter value moves from 'PendingDeletion' to 'Disabled':

    {
    "KeyMetadata": {
        "KeyId": "0a865351-7c39-4ef1-a4a3-03280af8ee05",
        "Description": "",
        "DeletionDate": 1461196800.0,
        "Enabled": false,
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "Disabled",
        "CreationDate": 1460543921.053,
        "Arn": "arn:aws:kms:us-east-1:123456789012:
                key/0a865351-7c39-4ef1-a4a3-03280af8ee05",
        "AWSAccountId": "123456789012"
    }
}

References

Publication date Apr 15, 2016

Related KMS rules