CloudWatch log metric filter and alarm for disabling or scheduled deletion of KMS CMKs should be configured


A CloudWatch metric filter and alarm should be established for customer-created Customer Master Keys (CMKs) that have changed state to disabled or scheduled deletion. This helps to prevent accidental or unintentional modifications that may lead to data loss. If CMKs are disabled or deleted then any data encrypted with them will no longer be available.

Console Remediation Steps

  • Navigate to CloudTrail

  • Select View trails.

  • Select a trail.

  • In the CloudWatch Logs section, click Configure.

  • Name a new log group or select an existing one.

  • Click Continue.

  • For the IAM role, choose an existing role or create one. If you create an IAM role, type a role name.

  • Select an existing policy or create a new one.

  • Click Allow.

  • In the CloudWatch Logs section, click Create CloudWatch Alarms for Security and Network related API activity using CloudFormation template.

  • You are redirected to the Create stack in the CloudFormation page.

  • Click Next.

  • Enter the Log Group Name.

  • Click Next.

  • Click Next.

  • Click Create stack.

CLI Remediation Steps

  • Create the metric filter for scheduled deletion of customer created CMKs:

    • aws logs put-metric-filter --log-group-name <name> --filter-name <name> --filter-pattern '{ $.eventSource = kms* && $.errorMessage = "* is pending deletion."}' --metric-transformations metricName=<metric name>,metricNamespace=<metric namespace>, metricValue=1,defaultValue=0

  • Create the alarm:

    • aws cloudwatch put-metric-alarm --alarm-name <name> --metric-name <name> --namespace <namespace> --statistic <value> --evaluation-periods <value> --period <value> --threshold <value> --comparison-operator <value> --alarm-actions <arn of topic>