- Newest
- Most votes
- Most comments
Hello Dannniel,
Some customers may see one or more AWS managed CMK(s) that have no alias. These keys are referred to as spare keys. They are fully functional and have the same security and durability properties as other AWS Managed CMKs. Spare keys are normally hidden from view and are not intended to be used by customers. Note, not all keys without an alias are spare AWS managed CMKs. Customer managed CMKs that you create using the CreateKey API can also have no alias.
You should avoid using spare keys, even if an AWS service displays them as an option. Instead, select a customer managed CMK or the AWS managed CMK relating to the service in question, with the familiar aws/ alias.
If you are already using spare keys, you can continue to use them, but we recommend changing, if possible, to a customer managed CMK or the AWS managed CMK with the correct alias to avoid potential confusion. If you see references to keys being used, for example in your CloudTrail logs, that you suspect are spare keys, you can verify that the key is an AWS managed CMK in your AWS account by using the ListKeys or DescribeKey API with the Key ID of the key being used. For help, see https://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html in the KMS documentation.
You cannot delete AWS managed CMKs, including these spare keys. However, it is important to remember that spare keys can continue to be used safely and the presence of spare keys does not increase the security risk to your other keys. As with all AWS managed CMKs, AWS does not charge for the storage of spare keys and charges only for the use of these CMKs. Learn more about https://aws.amazon.com/kms/pricing/ for AWS managed keys.
Relevant content
- asked 6 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 9 months ago