AWS KMS Keys Should Not Be Unintentionally Deleted Rule
This rule ensures that AWS KMS keys are not accidentally deleted to maintain data security.
| Rule | AWS KMS keys should not be unintentionally deleted |
| Framework | AWS Foundational Security Best Practices |
| Severity | ✔ Critical |
Rule Description
This rule ensures that AWS Key Management Service (KMS) keys are not unintentionally deleted. KMS keys play a critical role in AWS security by protecting the encryption keys used for various AWS services and data at rest. Accidental deletion of KMS keys can lead to data loss and potential security breaches. Therefore, it is important to implement measures to prevent unintentional deletion.
Troubleshooting Steps
If a KMS key is unintentionally deleted, it can have severe consequences for the associated resources and data. However, AWS provides measures to help recover from such situations:
- 1.
Check Logs: Review CloudTrail logs and Amazon CloudWatch Logs to identify any actions related to KMS key deletion. Look for API calls such as
orScheduleKeyDeletion
. This will help determine if the deletion was intentional or accidental.CancelKeyDeletion - 2.
Restore Deleted Key: If the deletion was accidental and the key was scheduled for deletion (but not yet permanently deleted), it can be restored within the specified waiting period (typically 30 days). Use the AWS Management Console or AWS CLI to restore the key.
- 3.
Create New Key: If the key is permanently deleted or cannot be restored, consider creating a new KMS key. Ensure that the new key is properly configured and associated with the necessary AWS resources.
Remediation Steps
To prevent unintentional deletion of KMS keys, follow these steps:
- 1.
Enable Key Deletion Protection: Enable key deletion protection for your KMS keys. This ensures that keys cannot be deleted without explicitly disabling the protection. By default, this protection is disabled.
AWS Management Console: Go to the KMS service console, select the desired key, and enable deletion protection in the key settings.
AWS CLI: Use the
command to enable deletion protection for a specific key. Example:update-key-descriptionaws kms update-key-description --key-id <key-id> --deletion-protection-enabled true
- 2.
Assign Proper Permissions: Ensure that only authorized users or roles have the necessary permissions to delete KMS keys. Restrict access to key management through Identity and Access Management (IAM) policies.
AWS Management Console: Review and modify IAM policies associated with users and roles to ensure they do not have the
permission for critical keys.kms:ScheduleKeyDeletionAWS CLI: Use the
oraws iam attach-user-policy
command to add or modify IAM policies associated with users or roles. Example:aws iam attach-role-policyaws iam attach-user-policy --user-name <username> --policy-arn <policy-arn>
- 3.
Monitor Key Deletion Events: Implement proactive monitoring of KMS key deletion events. This helps detect and respond to any unauthorized or accidental deletion attempts.
AWS CloudTrail: Enable CloudTrail logging for KMS API calls and regularly review the logs to identify any suspicious activity related to key deletion.
Amazon CloudWatch Events: Set up CloudWatch Event rules to trigger notifications or automated actions in response to KMS key deletion events.
By following these steps, you can minimize the risk of unintentional deletion of KMS keys and maintain the security of your AWS resources and data.