AWS KMS now tracks last usage of all KMS keys
Amazon Web Services has enhanced its Key Management Service (KMS) with a new visibility feature that automatically tracks the last cryptographic operation performed with each KMS key. The update eliminates the need for security administrators to manually query and analyze CloudTrail logs to determine key usage patterns, providing direct access to timestamps, operation types, and associated CloudTrail event IDs through both the AWS KMS console and API. The enhancement includes a new condition key (kms:TrailingDaysWithoutKeyUsage) that enables policy-based protection against accidental deletion of recently used encryption keys. Security teams can leverage this functionality to identify dormant keys for cleanup, verify active key usage, and streamline compliance reporting processes. The feature is now available across all AWS regions where KMS operates, including commercial, GovCloud, and China regions.
Why It Matters
This update addresses a significant operational pain point for enterprise security teams managing large-scale encryption key infrastructures. By providing automated visibility into key usage patterns, AWS is reducing the complexity of key lifecycle management and compliance reporting. The policy-based deletion protection mechanism helps prevent costly mistakes that could render encrypted data inaccessible, while the cleanup identification capabilities support security hygiene best practices in cloud environments.
This summary is generated using AI analysis of the original press release. Always refer to the original source for complete details.