AWS Launches Last-Used Tracking for KMS Keys, Simplifying Security Audits and Cost Management

Amazon Web Services on April 23, 2026, rolled out a new feature for its Key Management Service (KMS) that automatically tracks and displays the last time a cryptographic key was used, a move aimed at simplifying security audits and cost management for its cloud customers. This is a significant quality-of-life improvement for businesses managing their cloud infrastructure. In our experience, many small and mid-sized companies struggle with cloud cost and security hygiene, and unused but active resources represent both a financial drain and a potential security liability. This new visibility directly addresses a common operational pain point. Prior to this update, identifying unused KMS keys was a cumbersome and technically demanding process. Administrators had to manually search through extensive logs in AWS CloudTrail, a service that records API calls and user activity. According to technical documentation and user reports, this often required constructing complex queries with tools like Amazon Athena to parse terabytes of log data, a task that could be both time-consuming and prone to error. For companies without dedicated security analysts or cloud engineers, this high barrier often meant that unused keys were left active indefinitely, accumulating small charges and expanding the potential attack surface. The new feature fundamentally changes this workflow. AWS users can now see a “Last Used” timestamp directly within the AWS Management Console for each of their customer-managed keys. This new field provides not only the date and time of the last cryptographic operation but also the specific type of operation performed and a direct link to the corresponding CloudTrail event ID for deeper investigation. This allows administrators to quickly assess a key’s activity at a glance. For automated workflows and custom tooling, AWS has also introduced a new API call, `GetKeyLastUsage`. This allows developers and security teams to programmatically retrieve the last-usage information for a specific key, enabling the creation of automated scripts for inventory management, compliance reporting, and security alerting. However, AWS advises that administrators use the new data with caution. The service only began tracking key usage on a specific date, which it refers to as the `TrackingStartDate`. In the documentation, AWS explains that if a key was created before this date and has not been used since tracking began, its last-usage information will appear empty. In such cases, a key may seem unused but could have been used prior to the start of the tracking period. Therefore, administrators must compare a key’s creation date with the `TrackingStartDate` to make a fully informed decision about its lifecycle. Furthermore, the documentation notes there can be a delay of up to one hour between a cryptographic operation and the time that usage is recorded. The update also does not eliminate the need for business context. As some developers have noted, an old “Last Used” date does not automatically mean a key is obsolete. A key used for a critical but infrequent task, such as annual financial reporting or disaster recovery, might appear inactive for most of the year but remain essential to operations. While this new tool provides valuable data, the decision to delete a key still requires careful business analysis. This highlights the need for robust internal controls and documentation, which is a core component of the financial risk management services C&S Finance Group LLC provides at csfinancegroup.com. We help clients establish processes to ensure that cost-saving measures, like decommissioning apparently unused assets, do not inadvertently disrupt critical business functions or violate compliance requirements. This last-used tracking feature complements the broader suite of monitoring capabilities available through Amazon CloudWatch. While CloudWatch has long provided metrics for overall KMS API usage—allowing users to track trends, detect anomalies in request patterns, and set alarms for unusual activity—it previously lacked this simple, direct signal for individual key inactivity. The new feature provides a more granular and accessible data point for a very specific but common task: identifying and cleaning up potentially orphaned cryptographic resources. For small and mid-sized businesses, which often operate with lean IT and security teams, this update is particularly beneficial. It lowers the barrier to entry for performing essential security hygiene, reducing the reliance on specialized expertise in log analysis and query languages. The direct impact is twofold: potential cost savings from decommissioning keys that are no longer needed, and a stronger security posture from reducing the number of active, unmonitored cryptographic assets. This move by AWS is part of a welcome industry trend toward embedding security and cost-management tools directly into core services, making best practices more accessible. For businesses, the challenge now shifts from difficult data gathering to more strategic data interpretation and policy enforcement. Looking ahead, industry observers will be watching to see if this last-used tracking capability is extended to other types of AWS resources, which would further simplify asset lifecycle management across the platform. The new `GetKeyLastUsage` API is also expected to be rapidly integrated into third-party Cloud Security Posture Management (CSPM) and cost optimization tools, enabling more sophisticated and automated reporting on unused cryptographic keys in complex environments.