Profile Applicability:

  • Level 2

Description:

AWS Key Management Service (KMS) allows the creation of Customer Managed Keys (CMKs) to encrypt and secure data. Over time, some CMKs may no longer be in use, either because the associated resources have been deleted or because they are not actively needed. Unused keys increase the attack surface and may result in unnecessary cost. This SOP ensures that unused CMKs are identified and managed efficiently, either by archiving or deleting them.

Rationale:

  • Security: Unused CMKs increase the risk of mismanagement or unauthorized access if not properly decommissioned.

  • Cost Efficiency: Unused CMKs may incur unnecessary charges, especially when customer-managed encryption keys are actively being used for other services.

  • Compliance: Many compliance frameworks require that unused encryption keys be securely deleted or archived to meet security and data lifecycle management standards.

  • Operational Best Practices: Regularly reviewing CMK usage helps maintain a streamlined key management process.

Impact:

Pros:

  • Reduced Risk: Ensures that unused keys are not forgotten, thus lowering the risk of them being inadvertently exposed or misused.

  • Cost Savings: By identifying unused keys, unnecessary costs associated with inactive keys can be avoided.

  • Simplified Key Management: A regular review of CMK usage keeps the key management process lean and effective.

Cons:

  • Misidentification of Active Keys: There's a risk that keys currently in use may be mistakenly identified as unused and deleted, potentially disrupting services.

  • Operational Overhead: Conducting regular checks to identify unused keys can add a small operational burden.

Default Value:

By default, KMS CMKs do not track their usage history over time, so identifying unused keys requires manual or automated reviews.

Pre-requisite:

  • AWS IAM Permissions:

    • kms:ListKeys

    • kms:DescribeKey

    • kms:ListAliases

    • kms:ScheduleKeyDeletion

  • AWS CLI installed and configured.

  • Ensure that you have appropriate permissions to view and manage KMS keys in your AWS account.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to AWS KMS under Services.

  3. In the KMS Dashboard, go to Customer Managed Keys (CMKs).

  4. Review the Last Used column for each key. If no Last Used date is shown or the last usage was a long time ago, it may indicate the key is no longer in use.

  5. Investigate the affected CMKs to confirm whether they are needed or safe to delete.

Using AWS CLI:

  1. To list all KMS CMKs, run:

    aws kms list-keys --query 'Keys'

  2. For each CMK, retrieve the LastUsedDate to check if the key is still actively used:

    aws kms describe-key --key-id <key-id> --query 'KeyMetadata.LastUsedDate'

  3. If the LastUsedDate is missing or far in the past, the key may be unused. You can proceed to delete or archive the key, based on your policy.

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to KMS.

  2. In the KMS Dashboard, under Customer Managed Keys, review all the CMKs.

  3. For each CMK, check the Last Used date. If the key has not been used recently or lacks a last-used date:

    • Investigate whether the key is still needed by checking for associated resources or services.

    • If the key is no longer required, you can delete or archive it as per your organization's policies.

  4. Delete unused keys by selecting the key and choosing Schedule Key Deletion. Confirm the deletion after a 30-day waiting period.

Using AWS CLI:

  1. To list all CMKs, run the following command:

    aws kms list-keys --query 'Keys'

  2. For each key, check its last used date:

    aws kms describe-key --key-id <key-id> --query 'KeyMetadata.LastUsedDate'

  3. If no LastUsedDate is returned or the key hasn't been used in a long period, consider deleting or archiving the key:

    aws kms schedule-key-deletion --key-id <key-id> --pending-window-in-days 30

Backout Plan:

Using AWS Console:

  1. If you mistakenly delete a key or schedule it for deletion, navigate to KMS and go to the Customer Managed Keys section.

  2. Find the deleted key and ensure it is still in the Pending Deletion state.

  3. Cancel the deletion of the key by selecting the key and choosing Cancel Deletion.

  4. If the key was incorrectly identified as unused, ensure that it is still stored in KMS and reintegrate it into any services that require it.

Using AWS CLI:

  1. To cancel a key deletion that is in progress, run:

    aws kms cancel-key-deletion --key-id <KEY_ID>

  2. Verify that the key has been restored and is no longer scheduled for deletion:

    aws kms describe-key --key-id <KEY_ID>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.