Compliance

Manage KMS encryption keys

One capability across rotation, deletion protection, key-policy scope and decrypt permissions: keep the KMS keys that protect everything you encrypt rotating, recoverable, private and reachable only by the principals that genuinely need them.

15 min·10 sections·AWS

Last reviewed 16 June 2026

Remediates AWS Security Hub: CloudTrail.2 CloudTrail.10 IAM.3 KMS.1 KMS.2 KMS.3 KMS.4 KMS.5

Managing KMS keys: the basics

What does it actually mean to manage a key well across its whole lifecycle?

AWS KMS keys are the root of trust for almost everything you encrypt: S3 objects, EBS volumes, RDS databases, Secrets Manager secrets, CloudTrail logs, Lambda environment variables. A key is not a one-time setting you switch on and forget. It has a lifecycle, and Security Hub turns each part of that lifecycle into its own control. KMS.4 checks that the backing material rotates on a schedule. KMS.3 checks that no key is sitting in a pending-deletion countdown. KMS.5 checks that no key policy grants a wildcard principal. KMS.1 and KMS.2 check that customer managed IAM policies, and inline IAM policies, do not allow the decrypt-family actions against every key. The estate can fail several of these at once, but they are one capability: keep your keys healthy.

Two more controls in this group sit one layer out from KMS itself. CloudTrail.2 and CloudTrail.10 check that your audit trail and CloudTrail Lake event data store are encrypted with a customer managed KMS key rather than the default service-managed key, so that reading the audit history requires a separate kms:Decrypt you control and audit. IAM.3 checks that long-lived IAM access keys are rotated within 90 days. Different services, same underlying discipline: the keys and key-shaped credentials that gate your data should rotate, stay recoverable, stay private, and be reachable only by named principals.

The unifying idea is that a key compromise or a key mistake has an outsized blast radius, because a key sits in front of so much data. A key that never rotates means one stolen backing key is valid forever. A key scheduled for deletion takes every byte it ever encrypted with it. A key policy with a wildcard principal hands any AWS account the power to encrypt and decrypt. A decrypt-on-all IAM policy turns one stolen credential into a master pass. Managing keys well is about closing each of these doors before it becomes the door an attacker walks through.

In this lesson you will learn how AWS expresses key health across rotation, deletion protection, key policies, IAM decrypt permissions and audit-log encryption, how to inventory the keys in an account and read their state, and how to remediate each failure without locking yourself out or breaking a workload. The Controls this lesson covers section lists every Security Hub control in this capability, each linking to a deep page with the exact check and a copy-and-paste fix.

Fun fact

The Capital One key that wasn't

The 2019 Capital One breach is remembered as a server-side request forgery story, but the second act was KMS. The compromised role held kms:Decrypt permissions broad enough to decrypt the S3 object-encryption keys protecting more than a hundred million customer records, including SSNs and bank account numbers. Tighter IAM scoping on the decrypt action would not have stopped the initial intrusion, but it would have stopped the data exfiltration cold. The attacker pulled ciphertext and got AWS to decrypt it for them, using credentials that should never have had that breadth. It is the textbook case for why decrypt should be scoped to specific keys, not granted on every key in the account.

Auditing key health across an account

Devon runs cloud security at a healthcare SaaS company. Security Hub shows a scatter of key findings: a few KMS.4 rotation failures, one KMS.5 publicly accessible key, and a KMS.3 finding where a decommissioning role has just scheduled a production key for deletion.

Rather than work the findings one at a time, he starts by listing every customer managed key with the three facts that decide its health: who manages it, whether rotation is on, and what state it is in. The deletion countdown is the one with a clock running, so he triages that first.

List every customer managed key with its rotation status and key state. The PendingDeletion row is the one with a clock running.

$ for k in $(aws kms list-keys --query 'Keys[].KeyId' --output text); do echo "$k $(aws kms describe-key --key-id $k --query 'KeyMetadata.KeyState' --output text) $(aws kms get-key-rotation-status --key-id $k --query KeyRotationEnabled --output text)"; done

1234abcd-... Enabled True

2345bcde-... Enabled False

3456cdef-... PendingDeletion False

4567defa-... Enabled True

# One key in PendingDeletion (cancel now) and one with rotation off (KMS.4).

Key state and rotation status in one pass. PendingDeletion is the irreversible clock; cancel it before anything else.

How AWS evaluates key healthdeep dive

The KMS controls resolve to a few distinct mechanisms. Rotation (KMS.4) is a property on the key: when on, KMS generates fresh backing material on a schedule, 365 days by default and configurable from 90 to 2,560 days, while retaining every previous backing key so existing ciphertext decrypts transparently with no re-encryption. Deletion (KMS.3) is a key state: ScheduleKeyDeletion moves a key to PendingDeletion with a 7-to-30-day waiting period, the only window in which CancelKeyDeletion can save it. The access controls are policy documents: KMS.5 inspects the key policy for a wildcard principal, while KMS.1 and KMS.2 inspect customer managed and inline IAM policies for the decrypt-family actions against a wildcard resource.

The KMS authorisation model is dual-control: every call is checked against both the key policy on the resource and the IAM policy on the principal, and both must allow. That is why a wildcard decrypt IAM policy is bounded by what key policies permit, and also why a wildcard principal in a key policy is so dangerous: the key policy is evaluated directly. The decrypt-family actions the controls care about are kms:Decrypt, kms:ReEncryptFrom, kms:GenerateDataKey and kms:GenerateDataKeyWithoutPlaintext, which together cover reading ciphertext and minting plaintext data keys.

Most of these controls are evaluated by AWS Config on a periodic cycle, so a fix does not flip the finding to PASSED instantly; the control plane change is immediate but the report catches up on the next evaluation. The exception worth knowing is KMS.3, which is change-triggered, so a scheduled deletion surfaces within minutes, which is exactly the window in which you can still cancel it. CloudTrail.2 and CloudTrail.10 extend the same key-management discipline to the audit trail itself, and IAM.3 applies it to long-lived access keys, which never expire on their own and must be rotated by policy.

What is the impact of poorly managed keys?

The blast radius is the whole point. A key sits in front of so much data that a single key problem cascades. A never-rotated key means one stolen backing key decrypts the entire history of data under it rather than a bounded window. A key in a deletion countdown that finishes is permanent, total data loss for everything it encrypted, backups included, because they were encrypted with the same key. A wildcard key policy lets any AWS account encrypt and decrypt your data. A decrypt-on-all IAM policy turns one compromised credential into access to every key the key policies permit.

There is a second-order integrity risk too. If an outsider can encrypt with your key, they can plant ciphertext into a pipeline that later decrypts and trusts anything encrypted under that key. The wildcard turns an integrity assumption into a vulnerability, which is why the fix is always to name principals and scope keys explicitly rather than trusting the key boundary alone.

On the compliance side, every modern framework, CIS, PCI DSS, NIST 800-53, SOC 2 and ISO 27001, expects evidence that encryption keys are rotated, protected, scoped and that audit logs are encrypted with a customer-controlled key. A passing set of KMS and CloudTrail key controls across every account is among the cheapest and most defensible artefacts you can hand an auditor, and a persistent failure on a free, well-known control reads as weak hygiene that raises questions about what else basic has been skipped.

How do you manage keys safely?

Work the capability as one loop, ordered by reversibility. Cancel the irreversible thing first (a scheduled deletion), then close the open doors, then ratchet the whole estate shut so the findings cannot recur.

1. Stop any irreversible clock first

If any key is in PendingDeletion (KMS.3), nothing else matters until the clock is stopped. Confirm via CloudTrail who scheduled it and whether the key is still in use, then run cancel-key-deletion. Cancelling returns the key to Disabled, not Enabled, so follow with enable-key and confirm dependent services can decrypt again. When you do retire a key on purpose, disable it first and observe before scheduling deletion with the full 30-day window.

2. Close the open doors: public keys and broad decrypt

For a publicly accessible key (KMS.5), rewrite the wildcard principal to named account or role ARNs and keep the root administrative statement intact, never just delete the statement or you self-lock. For broad decrypt (KMS.1, KMS.2), read CloudTrail to learn which keys a principal actually uses, then replace Resource: "*" with specific key ARNs or narrow with fixed-value conditions such as kms:ViaService or kms:CallerAccount.

3. Turn rotation on and encrypt the audit trail

Enable rotation (KMS.4) on every eligible customer managed symmetric key; it is non-destructive, requires no re-encryption, and the key ID, aliases and policies are unchanged. Asymmetric, HMAC, imported-material and custom-key-store keys cannot auto-rotate and need a documented suppression. Point CloudTrail and the CloudTrail Lake event data store at a dedicated customer managed key (CloudTrail.2, CloudTrail.10), and rotate or retire long-lived IAM access keys (IAM.3) toward short-lived role credentials.

4. Ratchet it shut with guardrails

Make each fix a default rather than a one-time cleanup. Deploy the backing AWS Config rules org-wide, bake EnableKeyRotation and customer managed key encryption into the Terraform and CloudFormation modules teams use, and add Service Control Policies that deny kms:ScheduleKeyDeletion on production-tagged keys and reject inline policies that reintroduce a wildcard decrypt or a wildcard principal. The misconfiguration should be impossible to merge, not merely detectable after the fact.

# Stop the irreversible clock first: cancel any scheduled deletion, then re-enable.
for k in $(aws kms list-keys --query 'Keys[].KeyId' --output text); do
  state=$(aws kms describe-key --key-id "$k" \
    --query 'KeyMetadata.KeyState' --output text)
  if [ "$state" = "PendingDeletion" ]; then
    aws kms cancel-key-deletion --key-id "$k"
    aws kms enable-key --key-id "$k"   # cancel leaves it Disabled
    echo "$k: deletion cancelled and re-enabled"
  fi
done

# Turn rotation on for eligible customer-managed symmetric keys.
for k in $(aws kms list-keys --query 'Keys[].KeyId' --output text); do
  read -r mgr spec <<<"$(aws kms describe-key --key-id "$k" \
    --query 'KeyMetadata.[KeyManager,KeySpec]' --output text)"
  if [ "$mgr" = "CUSTOMER" ] && [ "$spec" = "SYMMETRIC_DEFAULT" ]; then
    aws kms enable-key-rotation --key-id "$k"
  fi
done

Quick quiz

Question 1 of 5

Security Hub shows key findings across KMS.3, KMS.4 and KMS.5 at once. Which should you remediate first?

Keep learning

Go deeper on how key health works across the services in this capability.

You can now treat KMS keys as one capability rather than a scatter of findings: stop any deletion countdown first, close public key policies and broad decrypt permissions by naming principals and scoping keys, turn rotation on and encrypt the audit trail, then ratchet the estate shut with Config rules, infrastructure-as-code defaults and Service Control Policies. The Controls this lesson covers section below links every control in this group to its deep page and fix.

Back to the library

Managing KMS keys: the cost and risk view

A near-zero-cost capability sitting in front of the highest-value data in the estate

KMS keys cost about a dollar a month each, and almost every control in this group costs nothing in AWS spend to satisfy. Enabling rotation, cancelling a deletion, tightening a key policy or scoping a decrypt permission does not change the bill. The cost lives entirely on the risk side, and it is asymmetric: the keys protect the company's most sensitive data, so a key mistake is one of the few configuration errors that can become a reportable breach or permanent data loss.

Read each failing control by the data behind it rather than by the control count. A publicly accessible key on a partner-data exchange (KMS.5, Critical) or a production key in a deletion countdown (KMS.3, Critical) carries a far higher expected loss than a never-rotated key on a low-traffic test store (KMS.4, Medium). Map the failures to what each key encrypts and prioritise by exposure, not by the order the report lists them.

The insurance maths is one-sided. The remediation is engineering minutes per key. The downside of leaving it is the documented cost of a key-related incident: a breach traceable to a wildcard key policy, permanent loss from a deleted key whose backups were encrypted with that same key, or a compliance finding when an auditor pulls the rotation and key-policy evidence. This is the rare capability where the spend to fix is essentially zero and the avoided downside is open-ended.

This lesson is for the finance partner who sees a cluster of KMS, CloudTrail and IAM key findings on the security report and wants to know what the right response is and what it costs. It covers why most of these controls are free to fix, which exceptions carry a real migration or coordination cost, and how to turn a list of red findings into a risk-ordered remediation plan keyed to the data each key protects.

Fun fact

The Capital One key that wasn't

How a finance partner frames the KMS key findings

Priya is the finance and risk partner at a healthcare SaaS company. Security Hub shows a scatter of key findings: a few KMS.4 rotation failures, one KMS.5 publicly accessible key, and a KMS.3 finding where a decommissioning role has just scheduled a production key for deletion. Her first instinct is not to ask what the fix costs, because she knows it is essentially nothing: enabling rotation, cancelling a deletion or tightening a key policy changes no AWS line item, and the keys themselves run about a dollar a month. The cost lives entirely on the risk side, and it is asymmetric, because each key sits in front of a large pool of sensitive data.

She reads each failing control by the data behind it rather than by the control count. The KMS.3 pending-deletion finding on a production key is the one with a clock running and the largest possible loss, total unrecoverable destruction of everything it ever encrypted, backups included, so it is the immediate action regardless of its Medium-looking neighbours. The KMS.5 publicly accessible key on a partner-data exchange is the next priority, a Critical exposure of regulated data. The KMS.4 rotation gap on a low-traffic test store is a routine cleanup. Her output for the risk pack is a worklist ordered by expected loss keyed to what each key protects, with a note that persistence beyond one reporting cycle, on a free and framework-mandated control, is a process and ownership problem rather than a budget one.

Why key health belongs on the risk register

The cost model here is the rare one where action costs essentially nothing and inaction creates unbounded tail risk. Enabling rotation, cancelling a deletion, scoping a policy and encrypting the audit trail are all free in AWS terms; the keys themselves are about a dollar a month. The downside is the documented cost of a key-related incident: a breach traceable to an over-broad key, permanent loss from a deleted key, or an audit finding that turns a five-minute fix into a remediation cycle with re-test fees.

The blast radius compounds with what each key protects, so the finance role is to attach expected loss to each failing key. A Critical KMS.5 or KMS.3 finding on a key behind regulated customer data is a this-week priority; a Medium KMS.4 finding on a disposable test store is a routine cleanup. Prioritising by the data behind the key, not by the report's ordering, is what turns a wall of red into a short, defensible worklist.

Treat persistence as the trigger, not cost. A free, framework-mandated control that stays open for more than a reporting cycle is a process and ownership problem, not a budget one. A small, documented set of exceptions, for keys that legitimately cannot rotate, is fine; an open finding on an eligible key is the prompt to ask who owns closing it.

What finance can do about KMS key health

Finance cannot rewrite a key policy or flip rotation on, but it can turn a wall of red KMS, CloudTrail and IAM findings into a risk-ordered worklist with clear ownership and a defensible close-out. Three levers.

1. Attach expected loss to each failing key, keyed to the data behind it

These controls carry no monthly dollar figure, so size them as expected loss weighted by what each key protects. A Critical KMS.5 publicly accessible key or a KMS.3 deletion countdown on regulated customer data is a this-week priority; a Medium KMS.4 rotation gap on a disposable test store is a routine cleanup. Prioritising by the data behind the key, not by the report's ordering, is what turns a wall of red into a short, defensible worklist.

2. Separate the free fixes from the few with real coordination cost

Almost every fix in this group is free engineering minutes: enabling rotation, cancelling a deletion, scoping a policy. Flag the exceptions that carry genuine migration or coordination cost, such as re-pointing CloudTrail at a customer managed key or rotating long-lived IAM access keys toward short-lived role credentials, so they are planned rather than rushed. The keys themselves are about a dollar a month, so spend is never the constraint; sequencing is.

3. Treat persistence as the trigger and require documented exceptions

A free, framework-mandated control that stays open beyond one reporting cycle is a process and ownership problem, not a budget one; that persistence is the prompt to ask who owns closing it. A small, documented set of exceptions, for asymmetric, HMAC or imported-material keys that legitimately cannot auto-rotate, is fine; an open finding on an eligible key is not. Keep those exceptions finance-visible rather than silently suppressed.

Quick quiz

Question 1 of 5

What is the cost profile of the KMS key controls in this group?

Keep learning

Go deeper on how key health works across the services in this capability.

You have finished the finance view of KMS key health. You know the keys run about a dollar a month and almost every fix is free, that the right way to prioritise is expected loss keyed to the data behind each key rather than the report's order, and that persistence beyond a reporting cycle on a free, framework-mandated control is a process and ownership problem. Next time a scatter of KMS, CloudTrail and IAM key findings lands, you will produce a risk-ordered worklist and ask who owns closing it, not what it costs.

Back to the library

Managing KMS keys: the headline

Whether the keys protecting our data are healthy by policy, or only by everyone remembering not to make a mistake

Encryption keys are the locks on the company's most sensitive data. This group of controls asks whether those locks are well managed across their whole life: do they rotate so a stolen key is not valid forever, are they protected from accidental deletion that would destroy the data they protect, are they private rather than reachable by any external account, and is the right to decrypt scoped to the principals that genuinely need it.

The leadership question is not whether each box is ticked today. It is whether key health is a default. A key that drifts into a deletion countdown, picks up a wildcard principal, or never rotates is a configuration mistake one bad change away from being an incident. The defensible end state is that rotation is on by default, deletion of production keys is blocked by policy, key policies name principals explicitly, and decrypt is scoped to specific keys.

None of this is a cost decision. The keys are cheap and the fixes are free. It is a governance decision about whether the controls that protect everything else are themselves protected by design, or left to vigilance.

A short read for the leader who needs to know what well-managed encryption keys look like, why it is a governance decision rather than a budget one, and what a defensible end state is across the estate: rotation on by default, deletion of production keys blocked, key policies that name principals, and decrypt scoped to specific keys.

Fun fact

The Capital One key that wasn't

What it looks like when key health is a default

After an internal review surfaced a production key that had drifted into a deletion countdown unnoticed, the CTO asked the security team one question: are the locks on our most sensitive data healthy by policy, or only because people remember not to make a mistake. The honest answer was the latter. A key had nearly been deleted, another carried a wildcard principal, and several had never rotated. Each was one bad change away from a breach notification or irrecoverable data, and every fix was free.

The team made key health a default rather than a quarterly chase. Automatic rotation went on for every eligible customer managed symmetric key, with documented suppressions for the asymmetric and imported-material keys that cannot rotate. Key policies were rewritten to name principals explicitly instead of wildcards, decrypt permissions were scoped to specific key ARNs, and CloudTrail logs were pointed at a dedicated customer managed key so reading the audit history itself requires a controlled, logged decrypt. Then Service Control Policies were added to deny ScheduleKeyDeletion on production-tagged keys and to reject any policy reintroducing a wildcard. The next review answered the CTO differently: key health is now enforced by default, with exceptions on the record. That standing posture, not the individual ticks, is the governance signal.

Why this is a board-level risk

Encryption is one of the primary controls the company cites when asked how it protects customer data. This group of controls checks whether that claim holds up: keys that rotate, cannot be deleted by accident, are not reachable by external accounts, and can only be used by named principals. Get one of these wrong on a high-value key and a configuration mistake becomes a headline, a breach notification, or irrecoverable data.

The cost of getting it wrong is large and well documented, while the cost of fixing it is essentially engineering time. This is the rare class of control where the risk of inaction is severe and the cost of action is small, which is exactly the trade leadership should be quickest to approve, and exactly the place to insist on prevention by default rather than cleanup after the fact.

The leadership move on KMS key health

The executive handle is to make key health a default so the controls that protect everything else are themselves protected by design rather than left to vigilance. Three moves.

1. Set the deadline by reversibility, irreversible first

Not every finding is equally urgent. A key in a deletion countdown (KMS.3) is on a 7-to-30-day clock and is the only window in which it can be saved, so it is the immediate action regardless of severity label. Set the expectation that the irreversible clock is stopped first, then public key policies and broad decrypt are closed, then rotation and audit-log encryption are turned on. Deadline by reversibility, not by the report's order.

2. Demand proof that the misconfiguration cannot be merged

A clean report is not the proof; the proof is that the bad change is impossible to reintroduce. Ask to see the org-wide AWS Config rules, the EnableKeyRotation and customer managed key defaults baked into the infrastructure templates, and the Service Control Policies that deny ScheduleKeyDeletion on production-tagged keys and reject any inline policy with a wildcard decrypt or wildcard principal. Prevention by default, not cleanup after the fact, is the end state to insist on.

3. Treat the few legitimate exceptions as deliberate, recorded decisions

Some keys genuinely cannot auto-rotate, asymmetric, HMAC, imported-material and custom-key-store keys, and they need a documented suppression rather than an open finding left to drift. Require that each such exception is an explicit, signed-off entry on the record. The distinction between a reviewed, accepted exception and an overlooked gap is what makes the encryption claim, one of the primary controls the company cites when asked how it protects customer data, hold up at audit and after an incident.

Quick quiz

Question 1 of 5

What is the central leadership question about the KMS controls in this group?

Keep learning

Go deeper on how key health works across the services in this capability.

Two takeaways: the keys are cheap and the fixes are free, so this is a governance decision about whether the controls protecting everything else are themselves protected by design; and the right end state is rotation on by default, deletion of production keys blocked, key policies that name principals, and decrypt scoped to specific keys, all enforced so the misconfiguration cannot be merged. Stop the irreversible clock first, then make key health a default.

Back to the library

Controls this lesson covers

One capability, many AWS Security Hub controls. This lesson is the shared playbook; each control below keeps its own deep page with the exact check, severity and a copy-and-paste fix.

Manage KMS encryption keys

Managing KMS keys: the basics

The Capital One key that wasn't

Auditing key health across an account

How AWS evaluates key healthdeep dive

What is the impact of poorly managed keys?

How do you manage keys safely?

1. Stop any irreversible clock first

2. Close the open doors: public keys and broad decrypt

3. Turn rotation on and encrypt the audit trail

4. Ratchet it shut with guardrails

Quick quiz

Keep learning

Managing KMS keys: the cost and risk view

The Capital One key that wasn't

How a finance partner frames the KMS key findings

Why key health belongs on the risk register

What finance can do about KMS key health

1. Attach expected loss to each failing key, keyed to the data behind it

2. Separate the free fixes from the few with real coordination cost

3. Treat persistence as the trigger and require documented exceptions

Quick quiz

Keep learning

Managing KMS keys: the headline

The Capital One key that wasn't

What it looks like when key health is a default

Why this is a board-level risk

The leadership move on KMS key health

1. Set the deadline by reversibility, irreversible first

2. Demand proof that the misconfiguration cannot be merged

3. Treat the few legitimate exceptions as deliberate, recorded decisions

Quick quiz

Keep learning

Controls this lesson covers

CloudTrail

IAM

KMS

Related compliance lessons