2026-06-08 · aws-security
AWS Security published guidance on identifying unused AWS KMS keys and preventing accidental key deletion. The post introduces the GetKeyLastUsage API and explains how teams can block deletion or disabling of recently used keys through policy controls. For cold-storage planning, the key lesson is that encrypted data is only recoverable if both the data and the keys survive. A backup without protected, offline, recoverable key custody can still become permanent data loss.
AWS KMS now exposes last cryptographic usage details for keys, including operation type, timestamp, CloudTrail event ID, and KMS request ID. AWS also showed how teams can use kms:TrailingDaysWithoutKeyUsage to deny disabling or deletion of recently used keys.
AWS explicitly warns that key deletion is irreversible and can make encrypted data unrecoverable. The post uses EBS volumes as an example: a volume may appear inactive in KMS logs for months but still depend on the key for restart, reattachment, or disaster recovery.
Cold storage is not just about copying files; it must preserve the recovery material needed to decrypt and verify them. Organizations should keep offline copies of critical recovery keys, backup manifests, and restore procedures so cloud-side mistakes or compromise do not erase the only path back to the data.
Read Original Post →