KMS Customer Managed Keys Are Used

Overview

This check verifies that your AWS KMS customer managed keys (CMKs) are in an active, "Enabled" state. Keys that are disabled or sitting unused represent potential security and cost concerns.

Risk

Unused or disabled KMS keys create several problems:

• Expanded attack surface: Dormant keys could be re-enabled by an attacker and used to access encrypted data
• Unnecessary costs: You pay for CMKs even when they are not being used
• Operational confusion: Disabled keys may be accidentally deleted, causing permanent data loss if data was encrypted with them
• Compliance gaps: Auditors may flag inactive keys as poor lifecycle management

Remediation Steps

Prerequisites

• AWS Console access with permissions to manage KMS keys (kms:EnableKey, kms:DescribeKey)
• Know which key needs to be enabled (you can find this in the Prowler scan results)

AWS Console Method

1. Sign in to the AWS KMS Console
2. In the left navigation, click Customer managed keys
3. Find and select the key flagged by Prowler
4. Review the key details to confirm this is a key you want to enable
5. Click Key actions (top right), then select Enable
6. Confirm the action when prompted

The key status should change to Enabled.

AWS CLI (optional)

Enable a KMS Key

aws kms enable-key \
    --key-id <your-key-id> \
    --region us-east-1

Replace <your-key-id> with the actual Key ID or Key ARN. Examples:

• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
• Key ARN: arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

List All Keys and Their States

To find keys that are not enabled:

aws kms list-keys --region us-east-1 --query 'Keys[*].KeyId' --output text | \
while read key_id; do
    aws kms describe-key --key-id "$key_id" --region us-east-1 \
        --query 'KeyMetadata.[KeyId,KeyState]' --output text
done

This will show each key's ID and state (e.g., Enabled, Disabled, PendingDeletion).

CloudFormation (optional)

When creating or updating KMS keys via CloudFormation, set Enabled: true to ensure the key is active.

AWSTemplateFormatVersion: '2010-09-09'
Description: KMS Customer Managed Key - Enabled

Resources:
  MyKMSKey:
    Type: AWS::KMS::Key
    Properties:
      Description: Customer managed encryption key
      Enabled: true
      EnableKeyRotation: true
      KeyPolicy:
        Version: '2012-10-17'
        Statement:
          - Sid: Enable IAM User Permissions
            Effect: Allow
            Principal:
              AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
            Action: 'kms:*'
            Resource: '*'
      Tags:
        - Key: Environment
          Value: Production

  MyKMSKeyAlias:
    Type: AWS::KMS::Alias
    Properties:
      AliasName: alias/my-enabled-key
      TargetKeyId: !Ref MyKMSKey

Outputs:
  KeyId:
    Description: KMS Key ID
    Value: !Ref MyKMSKey
  KeyArn:
    Description: KMS Key ARN
    Value: !GetAtt MyKMSKey.Arn

Key properties:

• Enabled: true - Ensures the key is active and can be used for cryptographic operations
• EnableKeyRotation: true - Automatically rotates the key material annually (recommended)

Terraform (optional)

When managing KMS keys with Terraform, set is_enabled = true to ensure the key is active.

resource "aws_kms_key" "enabled_cmk" {
  description             = "Customer managed encryption key"
  is_enabled              = true
  enable_key_rotation     = true
  deletion_window_in_days = 30

  tags = {
    Environment = "Production"
  }
}

resource "aws_kms_alias" "enabled_cmk_alias" {
  name          = "alias/my-enabled-key"
  target_key_id = aws_kms_key.enabled_cmk.key_id
}

output "key_id" {
  description = "KMS Key ID"
  value       = aws_kms_key.enabled_cmk.key_id
}

output "key_arn" {
  description = "KMS Key ARN"
  value       = aws_kms_key.enabled_cmk.arn
}

Key attributes:

• is_enabled = true - Ensures the key is active
• enable_key_rotation = true - Enables automatic annual key rotation
• deletion_window_in_days = 30 - Provides a 30-day window to cancel accidental deletions

Verification

After enabling the key, verify the change:

1. In the AWS Console, navigate back to KMS > Customer managed keys
2. Select the key you just enabled
3. Confirm the Key status shows Enabled

CLI verification

aws kms describe-key \
    --key-id <your-key-id> \
    --region us-east-1 \
    --query 'KeyMetadata.KeyState' \
    --output text

Expected output: Enabled

Additional Resources

• AWS KMS Developer Guide
• Key states of KMS keys
• Enabling and disabling keys
• KMS pricing

Notes

• Before enabling a key: Verify you understand what data the key encrypts and who has access. Enabling a key that should remain disabled could expose sensitive data.
• Keys pending deletion: If a key is in PendingDeletion state, you must cancel the deletion before you can enable it. Use aws kms cancel-key-deletion --key-id <key-id> first.
• Unused keys: If a key is truly no longer needed, consider scheduling it for deletion rather than leaving it disabled. This reduces your attack surface and costs.
• Cross-account keys: You cannot enable a key in a different AWS account. You must have direct access to the account that owns the key.