AWS KMS CMK Loss

This rule monitors for activity that could lead to the loss of KMS Customer Managed Keys (CMKs).

Risk

Remediation Effort

Low

Low

KMS CMKs cannot be directly deleted by users, but are instead scheduled for deletion at some point at least 7 days in the future. Once these keys are deleted, there is no way to decrypt data encrypted with them.

Remediation

Ensure that the key deletion was planned, and that it will not cause loss of access to sensitive or critical data.

References

  • CIS AWS Benchmark 3.7: "Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs"