AWS kms documentation change
Summary
Added new kms:TrailingDaysWithoutKeyUsage condition key with documentation and example policy
Security assessment
Documents a new security control for preventing accidental key deletion/disabling based on usage patterns. This enables safer key lifecycle management without addressing a specific vulnerability.
Diff
diff --git a/kms/latest/developerguide/conditions-kms.md b/kms/latest/developerguide/conditions-kms.md index 9f37956cb..dab7b76cd 100644 --- a//kms/latest/developerguide/conditions-kms.md +++ b//kms/latest/developerguide/conditions-kms.md @@ -7 +7 @@ -kms:BypassPolicyLockoutSafetyCheckkms:CallerAccountkms:CustomerMasterKeySpec (deprecated)kms:CustomerMasterKeyUsage (deprecated)kms:DataKeyPairSpeckms:EncryptionAlgorithmkms:EncryptionContext:context-keykms:EncryptionContextKeyskms:ExpirationModelkms:GrantConstraintTypekms:GrantIsForAWSResourcekms:GrantOperationskms:GranteePrincipalkms:KeyAgreementAlgorithmkms:KeyOriginkms:KeySpeckms:KeyUsagekms:MacAlgorithmkms:MessageTypekms:MultiRegionkms:MultiRegionKeyTypekms:PrimaryRegionkms:ReEncryptOnSameKeykms:RequestAliaskms:ResourceAliaseskms:ReplicaRegionkms:RetiringPrincipalkms:RotationPeriodInDayskms:ScheduleKeyDeletionPendingWindowInDayskms:SigningAlgorithmkms:ValidTokms:ViaServicekms:WrappingAlgorithmkms:WrappingKeySpec +kms:BypassPolicyLockoutSafetyCheckkms:CallerAccountkms:CustomerMasterKeySpec (deprecated)kms:CustomerMasterKeyUsage (deprecated)kms:DataKeyPairSpeckms:EncryptionAlgorithmkms:EncryptionContext:context-keykms:EncryptionContextKeyskms:ExpirationModelkms:GrantConstraintTypekms:GrantIsForAWSResourcekms:GrantOperationskms:GranteePrincipalkms:KeyAgreementAlgorithmkms:KeyOriginkms:KeySpeckms:KeyUsagekms:MacAlgorithmkms:MessageTypekms:MultiRegionkms:MultiRegionKeyTypekms:PrimaryRegionkms:ReEncryptOnSameKeykms:RequestAliaskms:ResourceAliaseskms:ReplicaRegionkms:RetiringPrincipalkms:RotationPeriodInDayskms:ScheduleKeyDeletionPendingWindowInDayskms:SigningAlgorithmkms:TrailingDaysWithoutKeyUsagekms:ValidTokms:ViaServicekms:WrappingAlgorithmkms:WrappingKeySpec @@ -113,0 +114,2 @@ For detailed information about the `ForAnyValue` and `ForAllValues` set operator + * kms:TrailingDaysWithoutKeyUsage + @@ -1716,0 +1719,58 @@ The following example key policy allows users who can assume the `testers` role +## kms:TrailingDaysWithoutKeyUsage + +AWS KMS condition keys | Condition type | Value type | API operations | Policy type +---|---|---|---|--- +`kms:TrailingDaysWithoutKeyUsage` | Numeric | Single-valued | `DisableKey` `ScheduleKeyDeletion` | Key policies and IAM policies + +The `kms:TrailingDaysWithoutKeyUsage` condition key represents the number of trailing days without cryptographic operations on a KMS key, calculated from the last successful cryptographic operation, or from the KMS key's creation date or `TrackingStartDate` if the key has never been used. For more information about the tracking start date, see [Understanding the usage tracking period](./monitoring-keys-determining-usage.html#understanding-tracking-period). You can use this condition key in key policies and IAM policies to control access to the [ScheduleKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html) and [DisableKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DisableKey.html) operations. + +This condition key is a numeric, single-valued condition. The trailing days value is always rounded down. For example, if a key was last used 89.9 days ago, the value is 89. + +The `kms:TrailingDaysWithoutKeyUsage` is calculated as follows: + + * For keys created _on or after_ the `TrackingStartDate` that have _not been used_ since tracking started: + +Formula: _Present Date_ \- `KeyCreationDate` + +For example, if the _Present Date_ is April 30, 2026 and the key was created on April 20, 2026, the value is 10. + + * For keys created _before_ the `TrackingStartDate` that have _not been used_ since tracking started: + +Formula: _Present Date_ \- `TrackingStartDate` + +For example, if the _Present Date_ is April 30, 2026 and the `TrackingStartDate` is April 15, 2026, the value is 15, regardless of when the key was created. + + * For keys that have _been used_ since tracking started, irrespective of when the key was created: + +Formula: _Present Date_ \- `Timestamp` of `KeyLastUsage` + + + + +The following example key policy statement denies the `ScheduleKeyDeletion` and `DisableKey` operations when the key has been used within the last 90 days, or when the key has no recorded usage and was either created 90 or fewer days ago or tracking started 90 or fewer days ago. This prevents accidental deletion or disabling of actively used or recently created keys. + + + { + "Effect": "Deny", + "Action": [ + "kms:ScheduleKeyDeletion", + "kms:DisableKey" + ], + "Principal": "*", + "Resource": "*", + "Condition": { + "NumericLessThanEquals": { + **"kms:TrailingDaysWithoutKeyUsage": "90"** + } + } + } + +**See also** + + * [Examine the last cryptographic operation performed with a KMS key](./monitoring-keys-determining-usage.html#examine-last-usage) + + * kms:ScheduleKeyDeletionPendingWindowInDays + + + +