Rule: KMS Keys Should Not Be Pending Deletion
This rule ensures that KMS keys are not in a pending deletion status to maintain data security.
| Rule | KMS keys should not be pending deletion |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ High |
Rule Description
This rule is aligned with the NIST Cybersecurity Framework (CSF) v1 and states that KMS (Key Management Service) keys should not be in the "pending deletion" state.
KMS is a managed service offered by cloud providers that allows you to create and control encryption keys used to encrypt your data. When a KMS key is set to be deleted, it goes into a "pending deletion" state for a specific period of time before it is permanently removed. This rule ensures that KMS keys are not left in this state, as it can pose a potential security risk.
Troubleshooting Steps
If you encounter KMS keys that are in the "pending deletion" state, you can follow these troubleshooting steps to resolve the issue:
- 1.
Identify the pending deletion keys: Use the KMS service console or CLI commands to list all the KMS keys in your account. Look for any keys that have a status of "pending deletion".
- 2.
Verify the deletion time: Check the scheduled deletion time for the keys that are in the "pending deletion" state. Make sure that the keys have not exceeded the scheduled deletion time, as they will be automatically removed by the system after the specified period.
- 3.
Determine the reasons: Investigate why the keys are in the "pending deletion" state. It could be due to manual deletion by an authorized user or as a result of an automated process.
- 4.
Assess the impact: Understand the impact of the pending deletion on your system. Consider the data or services that rely on the KMS keys and their availability during the deletion process.
- 5.
Take necessary actions: Based on the assessment, decide whether the deletion should be canceled, postponed, or allowed to proceed.
Remediation Steps
To remediate KMS keys in the "pending deletion" state, you can follow these step-by-step guides:
Option 1: Cancel the Deletion
If the deletion of the KMS key should not proceed, you can cancel the pending deletion. Here are the steps to follow:
- 1.
Identify the key ARN: Obtain the Amazon Resource Name (ARN) of the KMS key that you wish to cancel the deletion for.
- 2.
Use AWS CLI: Open your command-line interface (CLI) tool and run the following command, replacing
with the ARN of the key:key-arnaws kms cancel-key-deletion --key-id key-arnThis command cancels the pending deletion for the specified KMS key.
- 3.
Verify the cancellation: Check the status of the key to ensure that it is no longer in the "pending deletion" state. Use the KMS service console or CLI command to confirm the successful cancellation.
Option 2: Allow the Deletion
If the deletion is intentional and should proceed as planned, you can let the KMS key be permanently deleted after the scheduled period. Here are the steps to follow:
- 1.
Verify the impact: Ensure that the deletion of the KMS key will not adversely affect your data or services. Consider taking appropriate measures to mitigate any impact that may arise.
- 2.
Monitor the deletion process: Keep an eye on the scheduled deletion time to ensure that the key is removed as expected. You can use the KMS service console or CLI command to check the status of the key.
- 3.
Update dependencies: If any resources or services are dependent on the KMS key, make the necessary changes to use alternative keys or encryption methods to avoid service disruption.
Conclusion
Following the NIST CSF v1, it is crucial to avoid leaving KMS keys in the "pending deletion" state. With the above troubleshooting and remediation steps, you can maintain the security and integrity of your KMS keys and ensure they are properly managed according to the best practices.