Identify and recover any KMS Customer Master Keys (CMK) scheduled for deletion

When a CMK is deleted, its associated encrypted data becomes unrecoverable. AWS enforces a waiting period of 7 to 30 days before final removal, during which you can recover the key by canceling the delete action if decryption is still required.

Risk Level: Critical
Cloud Entity: AWS Key Management Service (KMS)
CloudGuard Rule ID: D9.AWS.DR.06
Covered by Spectral: No
Category: Security, Identity, & Compliance


KMS where keyState='PendingDeletion' should have keyState='Disabled'


From Portal

  1. Sign in to the AWS Management Console.
  2. Navigate to KMS dashboard.
  3. In the left navigation panel, click Customer Managed Keys.
  4. Select the appropriate AWS region from the Filter menu.
  5. Under Status column: check for any keys scheduled for deletion. If the current status is Pending Deletion, the key is scheduled for deletion.
  6. Under status column press 'Cancel Key Deletion' in order to cancel key deletion.
  7. Repeat step no. 5 and 6 for all AWS regions.

From Command Line

aws kms cancel-key-deletion --key-id KEYID



AWS Key Management Service (KMS)

AWS Key Management Service (KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data, and uses FIPS 140-2 validated hardware security modules to protect the security of your keys. AWS Key Management Service is integrated with most other AWS services to help you protect the data you store with these services. AWS Key Management Service is also integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.

Compliance Frameworks

  • CloudGuard AWS All Rules Ruleset