aws-nuke icon indicating copy to clipboard operation
aws-nuke copied to clipboard
Published 1 month ago verified publisher icon ekristen

Do not delete KMS keys by alias

Open moltar opened this issue 1 year ago • 4 comments

It is possible to specify a filter like this:

      KMSAlias:
        - alias/cdk-hnb659fds-assets-key

But the underlying key that alias points to, still gets deleted.

ap-northeast-1 - KMSKey - c38c7e34-**** - [ID: "c38c7e34-****", Manager: "CUSTOMER", State: "Enabled"] - would remove

screenshot-20241005T202858-JuzqZwir@2x

moltar avatar Oct 05 '24 19:10 moltar

Unfortunately it is not at this time. AWS treats KMS Aliases as entirely separate resource. We might be able to modify the behavior to include the first found alias maybe, but only if that's deterministic. Technically a key can have multiple aliases.

ekristen avatar Oct 06 '24 04:10 ekristen

#375 implements a fix, but you'll have to change a configuration ...

KMSKey:
  - property: Alias
    value: alias/cdk-hnb659fds-assets-key

ekristen avatar Oct 11 '24 00:10 ekristen

Thank you 🙏

moltar avatar Oct 11 '24 07:10 moltar

@moltar You can test it from the builds here - https://github.com/ekristen/aws-nuke/actions/runs/11294170251

ekristen avatar Oct 11 '24 14:10 ekristen

:tada: This issue has been resolved in version 3.27.0 :tada:

The release is available on GitHub release

Your semantic-release bot :package::rocket:

ekristen avatar Oct 14 '24 19:10 ekristen