Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Unused KMS Customer-Managed Keys (CMKs)

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: OCI-KMS-006

Identify and remove excessive unused OCI KMS Customer-Managed Keys (also known as Master Encryption Keys) from your Oracle Cloud Infrastructure (OCI) account in order to lower the cost of your monthly bill. Each key version incurs charges, so ensuring your KMS Vault maintains a reasonable number of keys (ideally ≤ 15) avoids unnecessary monthly costs.

Cost
optimisation

Excessive unused Customer-Managed Keys (CMKs) increase Oracle Cloud Infrastructure (OCI) costs because each key version incurs a monthly charge. Deleting keys beyond what's needed (more than 15) optimizes spending while maintaining only necessary cryptographic resources.

Recover your encrypted data: once a Customer-Managed Key (CMK) is deleted, all data encrypted under that key becomes unrecoverable. Oracle Cloud Infrastructure (OCI) allows a minimum waiting period of 7 days to verify whether your keys are still needed to decrypt the data before these are completely deleted. The deletion can be canceled any time before the waiting period expires.

Audit

To determine whether there is an excessive number of unused Customer-Managed Keys (CMKs) available within your OCI account, perform the following operations:

Using OCI Console

  1. Sign in to your Oracle Cloud Infrastructure (OCI) account.

  2. Navigate to Key Management & Secret Management console available at https://cloud.oracle.com/security/kms/.

  3. In the left navigation panel, choose Vault, and select an OCI compartment from the Compartment dropdown menu next to Applied filters, to list the OCI KMS Vaults available within that compartment.

  4. Click on the name (link) of the active KMS Vault that you want to examine, listed in the Name column. An active KMS Vault has the State set to Active.

  5. Select the Master encryption keys tab to list the Customer-Managed Keys (CMKs) available in the selected OCI KMS Vault.

  6. Click inside the Search and Filter box, choose State, select Disabled, and choose Apply filter to list the disabled (unused) keys.

  7. Increase the number of listed items to 25 or more from the Items per page dropdown menu and count the number of disabled keys listed on the page. If the number of disabled (unused) keys is greater than 15, the selected OCI KMS Vault contains an excessive number of unused keys.

Using OCI CLI

  1. Run iam compartment list command (Windows/macOS/Linux) with custom output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

    oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

  2. The command output should return the requested OCI compartment identifiers (OCIDs):

    [
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  3. Run kms management vault list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, the list the ID of each active KMS Vault provisioned in the selected OCI compartment:

    oci kms management vault list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query "data[?\"lifecycle-state\"=='ACTIVE'].id"

  4. The command output should return the requested Vault IDs:

    [
	"ocid1.vault.oc1.ap-sydney-1.1234abcd1234a.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.vault.oc1.ap-sydney-1.abcd1234abcda.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  5. Run kms management vault get command (Windows/macOS/Linux) to describe the service endpoint configured for the selected OCI KMS Vault:

    oci kms management vault get
	--vault-id 'ocid1.vault.oc1.ap-sydney-1.abcdabcd1234a.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234'
	--query 'data."management-endpoint"'

  6. The command output should return the URL of the service (management) endpoint configured for the selected vault:

    "https://abcdabcd1234a-management.kms.ap-sydney-1.oraclecloud.com"

  7. Run oci kms management key list command (Windows/macOS/Linux) with the service endpoint of the OCI KMS Vault that you want to examine as the identifier parameter, to list the ID and state of each KMS Customer-Managed Key (CMK) created within the selected Vault:

    oci kms management key list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--endpoint 'https://abcdabcd1234a-management.kms.ap-sydney-1.oraclecloud.com'
	--all
	--query 'data[].["id","lifecycle-state"]'

  8. The command output should return the ID and status for each KMS key available in the selected Vault. A disabled (inactive) Customer-Managed Key has the lifecycle status set to "DISABLED":

    [
	[
		"ocid1.key.oc1.ap-sydney-1.abcdabcd1234a.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"DISABLED"
	],
	[
		"ocid1.key.oc1.ap-sydney-1.1234abcd1234a.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234",
		"DISABLED"
	],
	[
		"ocid1.key.oc1.ap-sydney-1.abcdabcd1234a.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"DISABLED"
	],
	[
		"ocid1.key.oc1.ap-sydney-1.1234abcd1234a.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234",
		"DISABLED"
	],
	[
		"ocid1.key.oc1.ap-sydney-1.abcdabcd1234a.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"DISABLED"
	],

	...

	[
		"ocid1.key.oc1.ap-sydney-1.1234abcd1234a.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234",
		"DISABLED"
	],
	[
		"ocid1.key.oc1.ap-sydney-1.abcdabcd1234a.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"DISABLED"
	],
	[
		"ocid1.key.oc1.ap-sydney-1.1234abcd1234a.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234",
		"DISABLED"
	],
	[
		"ocid1.key.oc1.ap-sydney-1.abcdabcd1234a.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"ENABLED"
	],
	[
		"ocid1.key.oc1.ap-sydney-1.1234abcd1234a.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234",
		"PENDING_DELETION"
	]
]

    Count the number of disabled keys returned by the kms management key list command output. If the number of disabled (unused) keys is greater than 15, the selected OCI KMS Vault contains an excessive number of unused keys.

Remediation / Resolution

Oracle Cloud Infrastructure (OCI) allows a waiting period between 7 and 30 days before a Customer-Managed Key (CMK) is completely deleted and unrecoverable. The deletion can be canceled any time before the waiting period expires. To schedule deletion for any unused (disabled) Customer-Managed Key available within your OCI account, perform the following operations:

Using OCI Console

  1. Sign in to your Oracle Cloud Infrastructure (OCI) account.

  2. Navigate to Key Management & Secret Management console available at https://cloud.oracle.com/security/kms/.

  3. In the left navigation panel, choose Vault, and select an OCI compartment from the Compartment dropdown menu next to Applied filters, to list the OCI KMS Vaults available within that compartment.

  4. Click on the name (link) of the active KMS Vault that you want to access, listed in the Name column. An active KMS Vault has the State set to Active.

  5. Select the Master encryption keys tab to list the Customer-Managed Keys (CMKs) available in the selected OCI KMS Vault.

  6. Click inside the Search and Filter box, choose State, select Disabled, and choose Apply filter to list the disabled (unused) keys.

  7. Choose the unused Customer-Managed Key (CMK) that you want to remove, select the Actions menu (3-dot icon), and choose Delete Key.

  8. In the Confirm dialog box, type the name of the unused key in the Name box, select the deletion date and time (UTC time), and choose Delete Key to schedule the key for deletion.

  9. Repeat steps no. 7 and 8 to ensure that all the excessive unused KMS Customer-Managed Keys (CMKs) are scheduled for deletion.

Using OCI CLI

  1. Run kms management key schedule-deletion command (Windows/macOS/Linux) with the ID of the disabled (unused) Customer-Managed Key (CMK) that you want to remove as the identifier parameter, to schedule the selected key for deletion. Include the --time-of-deletion command parameter to specify when to delete the key. The specified time must be between 7 and 30 days from when the request is received. If the --time-of-deletion parameter in not included in the command request, it will be set to 30 days from the time of the request by default:

    oci kms management key schedule-deletion
	--key-id 'ocid1.key.oc1.ap-sydney-1.abcdabcd1234a.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--endpoint 'https://abcdabcd1234a-management.kms.ap-sydney-1.oraclecloud.com'

  2. The command output should return the configuration information available for the deleted OCI KMS key:

    {
	"data": {
		"auto-key-rotation-details": null,
		"compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"current-key-version": "ocid1.keyversion.oc1.ap-sydney-1.abcdabcd1234a.abcdabcd1234a.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"defined-tags": {},
		"display-name": "cc-project5-customer-key",
		"external-key-reference-details": null,
		"freeform-tags": {},
		"id": "ocid1.key.oc1.ap-sydney-1.abcdabcd1234a.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"is-auto-rotation-enabled": false,
		"is-primary": true,
		"key-shape": {
			"algorithm": "AES",
			"curve-id": null,
			"length": 32
		},
		"lifecycle-state": "SCHEDULING_DELETION",
		"protection-mode": "SOFTWARE",
		"replica-details": null,
		"restored-from-key-id": null,
		"time-created": "2025-10-27T08:45:25.854000+00:00",
		"time-of-deletion": "2025-11-27T12:21:01.284000+00:00",
		"vault-id": "ocid1.vault.oc1.ap-sydney-1.abcdabcd1234a.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd"
	},
	"etag": "1234abcd1234abcd1234abcd1234abcd1234"
}

  3. Repeat steps no. 1 and 2 to ensure that all the excessive unused KMS Customer-Managed Keys (CMKs) are scheduled for deletion.

References

Publication date Nov 12, 2025

Related OCI-KMS rules