Before deleting customer master key (CMK) , you may want to learn how to use the key to encrypt the ciphertext. AWS KMS does not store this information and can not store any ciphertext. To get this information, you must determine its own past use of CMK. CMK understanding of past usage can help you decide in the future whether this CMK. The following guidelines will help you determine past usage of CMK.
theme
CMK check the permissions to determine the potential scope of use
By determining the current customers have access to the master key (CMK) objects, can help you determine the extent of use and whether CMK still need this CMK. To learn how to determine the current CMK has access to an object, go to determine access to AWS KMS client master key .
Check AWS CloudTrail actual usage log to determine
AWS KMS is integrated with AWS CloudTrail, so all AWS KMS API CloudTrail activity will be recorded in the log file. If you enable CloudTrail in the area of customer master key (CMK) is located, you can check CloudTrail log file to see the history of a specific CMK all AWS KMS API activity to understand their usage history. You may be able to use CMK usage history to help determine whether this still needs CMK.