AWS Security Blog

AWS Key Management Service Now Supports Deletion of Encryption Keys

Today, AWS launched a new feature that lets you delete your encryption keys managed in AWS Key Management Service (KMS). You can now manage the complete lifecycle of your keys from creation to usage to disablement to deletion. In this blog post, I will explain the changes introduced with this new feature, tell you what you should do before you delete a key, and then show you how to delete a key.

Keep in mind that deleting a key is a potentially dangerous operation because it makes all data encrypted under that key unrecoverable. For this reason, after you schedule a key for deletion, we enforce a waiting period to give you time to verify whether the key is still needed to decrypt data. You can configure the waiting period to be between 7 and 30 days. During the waiting period, you can cancel the deletion and re-enable the key. At the end of the waiting period, the key is deleted and it becomes unrecoverable. 

Before you delete a key

Before administrators in your account can delete a key, they will need to have the appropriate permissions. The new APIs controlling deletion of keys are ScheduleKeyDeletion and CancelKeyDeletion. All new keys that you create in KMS will have these key deletion permissions for AWS Identity and Access Management (IAM) users and roles listed under the key administrators section of the key policy. For preexisting keys, you can easily add these permissions by selecting a check box on the Key Detail page of the console. You can also add these API actions to a policy on an existing key, IAM user, or IAM role via the console, AWS CLI, or SDKs.

Before you delete a key, verify if you will need the key in the future to decrypt data. You can verify this need in a few ways:

  1. Examine AWS CloudTrail logs: If you have CloudTrail turned on in the region where your key is stored, you can process your CloudTrail log files to view a history of all KMS API activity for a particular key. You might be able to use a key’s activity history to help you determine whether all data that was encrypted under the key has since been decrypted. To learn more about examining CloudTrail logs for KMS API calls, go to the Examining AWS CloudTrail Logs to Determine Actual Usage section of the KMS Developer Guide.
  2. Inspect the key permissions: You can inspect the permissions for a key by examining the key policy and grants that apply to the key to help you determine who or what might still need access to the key. To learn more about inspecting key permissions, go to the Determining Access to a Customer Master Key section of the KMS Developer Guide.

If you are still unsure if it’s safe to delete the key, put the key in a disabled state for as long as you need in order to confirm that no callers expect the key to be present.

How to delete a key

Let’s take a look at how you delete a key using the AWS Management Console.

  1. Select a key and choose Schedule key deletion from the drop-down menu.

Image of Schedule key deletion drop-down menu

  1. Set the waiting period, as shown in the following image.

Image of setting the waiting period

If you don’t define a waiting period, the period defaults to 30 days. As an additional safety measure, you can create an Amazon CloudWatch alarm to alert you when a request on the key has been made during the waiting period. To learn more about how to set this alarm, go to the Creating an Amazon CloudWatch Alarm to Detect Usage of a Customer Master Key That Is Pending Deletion section of the KMS Developer Guide.

  1. Confirm that the key is in Pending Deletion state and note the end of the waiting period.
    Image of confirming that the key is in the Pending Deletion state
  2. As with other KMS APIs, you can track the calls made on the ScheduleKeyDeletion and CancelKeyDeletion APIs through CloudTrail. After the waiting period ends, look for evidence in CloudTrail that the DeleteKey command (highlighted in the following code) has been called by KMS on your key.
{
    "eventVersion": "1.02",
    "userIdentity": {
        "type": "Unknown",
        "principalId": "kms.eu-central-1.amazonaws.com",
        "accountId": "AWS Internal"
    },
    "eventTime": "2015-11-12T16:35:14Z",
    "eventSource": "kms.amazonaws.com",
    "eventName": "DeleteKey",
    "awsRegion": "eu-central-1",
    "requestParameters": {
        "keyId": "12345678-1234-1234-1234-123456789012"
    },
    "responseElements": null,
    "eventID": "cbe6b378-afa7-420b-b2bd-865474a0a71c",
    "readOnly": false,
    "resources": [
        {
            "ARN": " arn:aws:kms:eu-central-1:123456789012:key/12345678-1234-1234-1234-123456789012",
            "accountId": "123456789012"
        }
    ],
    "eventType": "AwsServiceEvent",
    "recipientAccountId": "123456789012"
}

With the launch of this feature, we have updated our pricing policy related to disabled keys. As of April 1, 2016, any disabled keys in your account will be charged $1 per month. We had initially offered disabled keys for free because there was no way to delete a key you no longer needed. To avoid this charge, you can now delete disabled keys.

You can read more about using this feature in the KMS Developer Guide. If you have questions about using this feature or the APIs, or if you have any other questions about KMS, please post them on the KMS forum.

– Sree