Amazon KMS now tracks last usage of all KMS keys
Amazon Key Management Service (KMS) now provides visibility into the last cryptographic operation performed with your KMS keys, eliminating the need to manually query and analyze logs. This feature helps security administrators and compliance teams quickly determine when their KMS keys were last used for cryptographic operations. You can view the timestamp, the type of operation performed, and the associated Amazon CloudTrail event ID from the Amazon KMS management console, or via API.
You can use this feature to help identify unused keys for cleanup, verify that keys are actively used, and track down how your keys are used in Amazon CloudTrail. In addition, you can use the new condition key (kms:TrailingDaysWithoutKeyUsage) that enables policy-based protection against accidental deletion of recently used keys.
This new feature is available in Amazon Web Services China (Beijing) Region, operated by Sinnet, and in Amazon Web Services China (Ningxia) Region, operated by NWCD. For more information, see Monitoring key in the Amazon KMS Developer Guide.