Do not delete KMS keys by alias

ekristen / aws-nuke

Remove all the resources from an AWS account

https://ekristen.github.io/aws-nuke/

MIT License

137 stars 12 forks source link

Do not delete KMS keys by alias #367

Open moltar opened 13 hours ago

moltar commented 13 hours ago

It is possible to specify a filter like this:

      KMSAlias:
        - alias/cdk-hnb659fds-assets-key

But the underlying key that alias points to, still gets deleted.

ap-northeast-1 - KMSKey - c38c7e34-**** - [ID: "c38c7e34-****", Manager: "CUSTOMER", State: "Enabled"] - would remove

screenshot-20241005T202858-JuzqZwir@2x

ekristen commented 3 hours ago

Unfortunately it is not at this time. AWS treats KMS Aliases as entirely separate resource. We might be able to modify the behavior to include the first found alias maybe, but only if that's deterministic. Technically a key can have multiple aliases.