Lost CMK Keys

Access to the CMKs created in the AWS accounts can only be managed by:

  • Using the Key Policy
  • Using the IAM policies in combination with the key policy
  • Using grants in combination with the key policy

If any of the above is found to have a leak leading to an unexpected CMK deletion, neither AWS nor Clumio can recover the key after 30 days.

You must work with AWS to ensure that the keys are recovered during the recoverable time frame of 30 days. After 30 days have passed, the key is permanently lost and cannot be used to decrypt the encrypted backups.

CMK loss and data recovery

AWS CMKs are governed by the usage and management policies defined by IAM Permissions for users and roles created by your security team. With these policies in place, the CMKs cannot be lost, but can be deleted by the users/roles with the privileged permission to delete them.

If the CMK is deleted, Clumio notifies you through the Alerts page in the Clumio portal. Clumio also automatically creates a Support case to recover the key, as it remains in a recoverable state for 30 days after being deleted. If the keys are recovered within 30 days of deletion, all encrypted backups are recoverable.


For more information about CMK keys, see Data Encryption Keys.



Please reach out to [email protected] with any questions.