Dealing with Lost AWS KMS Keys
<!doctype html>
Also read ‘One KMS Key per application in AWS?’
and
Q: How Do You Deal with Lost KMS Keys on AWS?
Critical: If a customer-managed KMS key is permanently deleted (after the waiting period), data encrypted under it is unrecoverable—even by AWS Support.
1) Determine What “Lost” Means
| Scenario | Description | Possible Recovery |
|---|---|---|
| Key disabled | CMK exists but is marked disabled. | Re-enable in console or via CLI. |
| Scheduled for deletion | Key pending deletion (7–30 days). | Cancel deletion before the window ends. |
| Deleted | Key and metadata removed after wait period. | Irrecoverable; data lost. |
| Policy/Access lost | No one can use or manage the key. | Use root user to restore the key policy. |
| Imported key material lost | You brought your own key material and lost it. | Irrecoverable without a backup of the material. |
2) Common Recoveries
Re-enable a Disabled Key
aws kms enable-key --key-id <key-id>Cancel a Pending Deletion
aws kms cancel-key-deletion --key-id <key-id>Restore Access via Root (Key Policy Fix)
Sign in as the account root user, then update the key policy to re-grant admin access:
{
"Sid": "EnableRootAccess",
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::<account-id>:root" },
"Action": "kms:*",
"Resource": "*"
}3) Notes on Key Types
- AWS-managed keys (e.g.,
aws/s3,aws/ebs) are rotated/retained by AWS; you cannot control rotation cadence. - Imported key material is your responsibility—maintain secure offline backups if you import keys.
4) Preventive Measures
- Enable CloudTrail logging for KMS API calls.
- Limit
kms:ScheduleKeyDeletionpermissions. - Use aliases and enable automatic rotation for CMKs.
- Version-control key policies; review regularly.
- Back up imported key material (e.g., HSM or secure vault).
Bottom line: If the deletion grace period has elapsed or imported material is gone without backup, the data cannot be recovered.
Leave a Reply