By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Default EBS key not showing in KMS GUI

0

When I run the command aws kms list-keys, I can see a Default EBS master key which is enabled. Here is the describe-key output;

{
    "KeyMetadata": {
        "Origin": "AWS_KMS", 
        "KeyId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 
        "Description": "Default master key that protects my EBS volumes when no other key is defined", 
        "KeyManager": "AWS", 
        "Enabled": true, 
        "KeyUsage": "ENCRYPT_DECRYPT", 
        "KeyState": "Enabled", 
        "CreationDate": 1526533744.85, 
        "Arn": "arn:aws:kms:ap-southeast-2:xxxxxxxxxxxx:key/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 
        "AWSAccountId": "xxxxxxxxxxxx"
    }
}

However, this key is currently not showing up in the New KMS GUI. I have another Default EBS Master Key from the aws kms list-keys output which is showing up in the GUI. Is there a reason why only 1 EBS key is showing up?

If I use the Classic GUI, I can see the key is there but the Alias is blank. Here is a screenshot: https://i.imgur.com/o79YO43.png

Topics
Security, Identity, & Compliance
Tags
AWS Key Management Service
Language
English
dannniel
asked 5 years ago727 views
2 Answers
0
Accepted Answer

Hello Dannniel,

Some customers may see one or more AWS managed CMK(s) that have no alias. These keys are referred to as spare keys. They are fully functional and have the same security and durability properties as other AWS Managed CMKs. Spare keys are normally hidden from view and are not intended to be used by customers. Note, not all keys without an alias are spare AWS managed CMKs. Customer managed CMKs that you create using the CreateKey API can also have no alias.

You should avoid using spare keys, even if an AWS service displays them as an option. Instead, select a customer managed CMK or the AWS managed CMK relating to the service in question, with the familiar aws/ alias.

If you are already using spare keys, you can continue to use them, but we recommend changing, if possible, to a customer managed CMK or the AWS managed CMK with the correct alias to avoid potential confusion. If you see references to keys being used, for example in your CloudTrail logs, that you suspect are spare keys, you can verify that the key is an AWS managed CMK in your AWS account by using the ListKeys or DescribeKey API with the Key ID of the key being used. For help, see https://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html in the KMS documentation.

You cannot delete AWS managed CMKs, including these spare keys. However, it is important to remember that spare keys can continue to be used safely and the presence of spare keys does not increase the security risk to your other keys. As with all AWS managed CMKs, AWS does not charge for the storage of spare keys and charges only for the use of these CMKs. Learn more about https://aws.amazon.com/kms/pricing/ for AWS managed keys.

AWS
AWS-User-1849807
answered 5 years ago
0

Thanks awsrcoppar!

dannniel
answered 5 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content