AWS KMS CMK Loss
This rule monitors for activity that could lead to the loss of KMS Customer Managed Keys (CMKs).
Risk
Remediation Effort
Low
Low
KMS CMKs cannot be directly deleted by users, but are instead scheduled for deletion at some point at least 7 days in the future. Once these keys are deleted, there is no way to decrypt data encrypted with them.
Remediation
Ensure that the key deletion was planned, and that it will not cause loss of access to sensitive or critical data.
References
  • CIS AWS Benchmark 3.7: "Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs"
Copy link