Ensure there is no disabled KMS key

AWS Cost Optimization
No items found.

Creating a custom KMS Customer Master Key (CMK) within your AWS account, whether enabled or disabled, incurs a monthly charge of $1 until the key is deleted. Since inactive keys are no longer being used but are still being charged, it is advisable to remove them to optimize your AWS costs. To reduce the cost of your monthly bill, it is recommended that you search for disabled Amazon Key Management Service (KMS) keys in your AWS account and delete them.


To ensure that there are no disabled KMS keys in your AWS account, you can follow these remediation steps:

  1. Identify all KMS keys in your AWS account. You can do this using the AWS Management Console, AWS CLI, or AWS SDKs.
  2. Review the list of KMS keys and check the status of each key to determine if any are disabled.
  3. If you identify any disabled KMS keys, determine if they are still needed. If a key is no longer required, proceed to delete it.
  4. Before deleting a KMS key, ensure that it is not currently being used to encrypt any data. If it is, re-encrypt the data using a different KMS key before deleting the old key.
  5. After deleting any disabled KMS keys, monitor your AWS billing statements to verify that the charges associated with these keys have been removed.
  6. Implement a regular review process for KMS keys to ensure that any disabled keys are identified and removed promptly.

By following these remediation steps, you can ensure that there are no disabled KMS keys in your AWS account, which can help optimize your AWS costs and improve the security of your KMS keys.

Enforced Resources
Note: Remediation steps provided by Lightlytics are meant to be suggestions and guidelines only. It is crucial to thoroughly verify and test any remediation steps before applying them to production environments. Each organization's infrastructure and security needs may differ, and blindly applying suggested remediation steps without proper testing could potentially cause unforeseen issues or vulnerabilities. Therefore, it is strongly recommended that you validate and customize any remediation steps to meet your organization's specific requirements and ensure that they align with your security policies and best practices.