AWS has published guidance on identifying unused KMS encryption keys and protecting them from accidental deletion across large, multi-account environments. Orphaned or forgotten keys can inflate costs, create compliance gaps, and pose a risk if unexpectedly deleted — potentially making encrypted data permanently inaccessible. The post outlines tooling and processes to audit key usage and apply deletion safeguards at scale.

Architect’s Take: Implement regular KMS key usage audits using AWS CloudTrail and CloudWatch metrics, and ensure deletion windows and key policies are configured to prevent accidental removal — particularly in multi-account organisations where key ownership can become unclear over time.

Original advisory: Identify unused AWS KMS keys and prevent accidental key deletions