Description:

AWS Key Management Service (KMS) makes it easy for you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications. CMK is a logical representation of a master key in AWS KMS. CMK contains the key material used to encrypt and decrypt data. CMK also includes master key identifiers and other metadata including its creation date, description, and key state, By default AWS KMS generates the key material for a newly created CMK

Rationale:

Cryptographic best practices discourage extensive reuse of encryption keys. To create new cryptographic material for your KMS keys, you can create new KMS keys, and then change your applications or aliases to use the new KMS keys. Or, you can enable automatic key rotation for an existing KMS key.

Impact:

The customer Master Key that you create in AWS KMS costs $1 / month, regardless of whether is being used or not. Since the KMS disabled keys are also charged, it is recommended to delete these keys to avoid any unexpected charges on your bill.

  • It will avoid the management overhead and costs associated with maintaining unused KMS keys

  • It will reduce the number of KMS keys that count against your KMS key Resource.

Default Value:

AWS Key Management System allows a waiting period between 7 and 30 days before the key is completely deleted and unrecoverable. The deletion can be canceled any time before the waiting period expires.


Pre-Requisite: 

  • There must be at least one Customer Created customer master key (CMK) keys


Remediation:

Test Plan:

  1. Sign in to the AWS Management Console.

  2. Navigate to the KMS dashboard at https://console.aws.amazon.com/kms/.

  3. In the left navigation panel, click Customer managed keys.

  4. In the CMK dashboard check for any disabled customer master keys under the Status column.


Using AWS CLI:

  • Run the list-keys command to list all customer master keys available in the current AWS region:

    aws kms list-keys

    The command output should return the ARN (Amazon Resource Name) and the ID for each CMK created in your current AWS region.

  • Run the describe-key command for each CMK to identify any disabled keys available in the current AWS region:

    aws kms describe-key
    --key-id <enter key id>

Implementation Steps:

To schedule deletion for any disabled customer master keys in your AWS account, perform the following:

  1. Sign in to the AWS Management Console.

  2. Navigate to the KMS dashboard at https://console.aws.amazon.com/kms/.

  3. In the left navigation panel, click Customer managed keys

  4. In the CMK dashboard check for any disabled customer master keys under the Status column.
  5. Select the disabled key, Click on the Key Actions dropdown menu, and select Schedule key  deletion: 
  6. In the Schedule key deletion dialog box, under the Waiting period (in days) section, enter a value between 7 and 30 (days) and click Schedule deletion:
  7. The selected key status should change into Pending Deletion



Using AWS CLI:

  • Run the schedule-key-deletion command to schedule deletion for any disabled keys available in the current AWS region. The following example sets 7 days for the key pending deletion time

    aws kms schedule-key-deletion
    --key-id <ENTER KEY ID>
    --pending-window-in-days 7

Backout plan:

  1. Open the AWS KMS console at https://console.aws.amazon.com/kms.

  2. To change the AWS Region, use the Region selector in the upper-right corner of the page.

  3. In the navigation pane, choose Customer managed keys.

  4. Select the check box next to the KMS key that you want to recover.

  5. Choose Key actions, Cancel key deletion.

The KMS key status changes from Pending deletion to Disabled. To use the KMS key, you must enable it.

Using AWS CLI:

aws kms cancel-key-deletion --key-id <enter key id>


Reference:
https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html
https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html