Updated on 2025-08-25 GMT+08:00

Key Status Check

Rule Details

Table 1 Rule details

Parameter

Description

Rule Name

kms-not-scheduled-for-deletion

Identifier

Key Status Check

Description

If a KMS key is in Pending deletion state, this key is non-compliant.

Tag

kms

Trigger Type

Configuration change

Filter Type

kms.keys

Rule Parameters

None

Application Scenarios

A key will not be deleted until its scheduled deletion period expires. You can set the period to 7 to 1096 days. The key is in the Pending deletion state.

A deleted key cannot be recovered. If a KMS key is deleted, the data encrypted using the key cannot be recovered. Services depending on this data may be interrupted. You need to check the keys in Pending deletion state to avoid accidental deletion.

Use secure networks, such as VPN, instead of EIP networks to transmit data. Reduce the attack surface and improve the security of the data synchronization network by configuring firewalls, security groups, and ACL rules. For details, see Security Best Practices.

Solution

If the key is deleted by mistake, immediately cancel the scheduled deletion for a key.

If you are sure that the key should be deleted, ignore the non-compliance result of the key until the key is deleted. If you do not want the rule to evaluate keys that are expected to be deleted, add a tag to the KMS keys and use the tag in the compliance rule to filter out (policy_filter) the keys. For details, see Compliance Rule Concepts.

Rule Logic

  • If a KMS key is in Pending deletion state, this key is non-compliant.
  • If a KMS key is not in Pending deletion state, this key is compliant.