CloudMatos Logo CloudMatos Logo
MatosSphere Logo
corner gradient
Blog

AWS KMS Keys Should Not Be Deleted Unintentionally

You should be checking whether or not KMS keys are scheduled for deletion
AWS KMS Keys Should Not Be Deleted Unintentionally

If you’re using AWS, you should be checking whether KMS keys are scheduled for deletion. If a KMS key is set to be deleted, the control fails.

Once removed, KMS keys cannot be retrieved. If a KMS key is removed, any data encrypted with it will likewise be permanently lost. Unless you are purposefully undertaking a cryptographic erasure, think about decrypting or re-encrypting significant data that has been encrypted using a KMS key that is slated for destruction.

When a KMS key is planned for deletion, a required waiting period is included to give time for the deletion to be undone if it was mistakenly scheduled. When the KMS key is set to be deleted, the default waiting period can be shortened to only seven days. The planned deletion can be stopped during the waiting period, and the KMS key won't be erased.

How to Cancel a Pre-Scheduled KMS Key Deletion Process

This is a fairly simple thing to do. Simply follow these instructions to schedule and cancel key deletions:

Scheduling a Key Deletion:

  1. Open the AWS Key Management Service (AWS KMS) interface after logging into the AWS Management Console.
  2. Use the Region picker in the page's upper-right corner to change the AWS Region.
  3. Select Customer controlled keys from the navigation pane.
  4. The KMS key that you wish to remove has a checkbox next to it. Select Schedule key deletion under Key activities.
  5. Read the warning and the details for undoing the deletion while you're waiting, and give them some thought. If you change your mind, select Cancel at the bottom of the page.
  6. Enter a number of days between seven and thirty for the waiting time (which is specified in days).
  7. Examine the KMS keys you're erasing.
  8. Confirm that you wish to delete this key after [X] days by checking the box next to it.
  9. Select Scheduling deletion.
  10. Pending deletion is the new state of the KMS key.

Canceling a Key Deletion:

  1. Launch the AWS KMS interface.
  2. Use the Region picker in the page's upper-right corner to change the AWS Region.
  3. Select Customer controlled keys from the navigation pane.
  4. The KMS key that you wish to recover should have a checkmark next to it.
  5. Select Cancel key deletion under Key actions.
  6. From pending deletion to disabled, the KMS key's status changes. You must enable the KMS key in order to utilize it.

How was our guide to checking on your KMS keys? Tell us your thoughts in the comments.

 

 

Share:

Comments

No comments yet! Why don't you be the first?
Add a comment

Get started with MatosSphere today

Get Demo
CloudMatos Logo CloudMatos Logo