This rule monitors for activity that could lead to the loss of KMS Customer Managed Keys (CMKs).
KMS CMKs cannot be directly deleted by users, but are instead scheduled for deletion at some point at least 7 days in the future. Once these keys are deleted, there is no way to decrypt data encrypted with them.
Ensure that the key deletion was planned, and that it will not cause loss of access to sensitive or critical data.
CIS AWS Benchmark 3.7: "Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs"