Home icon

Identify unused AWS KMS keys and prevent accidental key deletions

Security Blog

This article introduces AWS KMS's new GetKeyLastUsage API, which helps identify unused encryption keys and prevent accidental deletions through policy controls.

  • GetKeyLastUsage API shows when KMS keys were last used for cryptographic operations
  • Tracking began April 23, 2026; keys created before then may have untracked usage history
  • View last usage in AWS KMS console under key general configuration details
  • Use kms:TrailingDaysWithoutKeyUsage condition key in policies to block recent key deletions
  • Sample script provided to scan unused keys across accounts and regions
  • Key deletion is irreversible; disable first and monitor for failures before deleting
  • EBS volumes cache encryption keys, showing no KMS activity despite active dependency
  • CloudTrail remains authoritative source for complete audit trail and request details

The GetKeyLastUsage API simplifies KMS key auditing and lifecycle management by providing immediate usage visibility, reducing operational costs and improving security posture.

Go to article

The AWS News Feed is currently looking for gold sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.

Related articles

Apr 28
2026
AWS KMS now tracks last usage of all KMS keys
Dec 16
2024
AWS KMS: How many keys do I need?
Mar 17
2025
AWS KMS CloudWatch metrics help you better track and understand how your KMS keys are being used
Jul 29
2024
Strengthening data security in AWS Step Functions with a customer-managed AWS KMS key

The AWS News Feed is currently looking for silver sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.