
AWS KMS now tracks and displays the last cryptographic operation timestamp for all KMS keys, enabling security teams to identify unused keys, verify active usage, and implement policy-based protection against accidental deletion.


<div><p>This article announces that AWS KMS now tracks the last cryptographic operation performed on all KMS keys, providing visibility without manual log analysis.</p><ul><li>View timestamp, operation type, and CloudTrail event ID for last key usage</li><li>Accessible via AWS KMS console or API</li><li>Helps identify unused keys for cleanup and verify active key usage</li><li>New condition key (kms:TrailingDaysWithoutKeyUsage) protects against accidental deletion</li><li>Available in all AWS Regions including GovCloud and China Regions</li></ul><p>This feature simplifies key management and compliance tracking by providing built-in visibility into KMS key usage patterns.</p></div>


AWS KMS now tracks last usage of all KMS keys

Related articles

Related articles

Jun 2
2026
Identify unused AWS KMS keys and prevent accidental key deletions

Mar 17
2025
AWS KMS CloudWatch metrics help you better track and understand how your KMS keys are being used

Dec 16
2024
AWS KMS: How many keys do I need?

Jun 6
2025
AWS KMS launches on-demand key rotation for imported keys