CloudWatch log metric filter and alarm for disabling or scheduled deletion of customer managed KMS keys should be configured


A CloudWatch metric filter and alarm should be established for customer managed KMS keys that have changed state to disabled or scheduled deletion. This helps to prevent accidental or unintentional modifications that may lead to data loss. If KMS keys are disabled or deleted then any data encrypted with them will no longer be available.

Remediation Steps

AWS Console

This is a two part process. First, you create a Metric Filter for specific CloudTrail log events. Next, you create a CloudWatch alarm for the filter. See Creating an Amazon CloudWatch alarm to detect usage of an AWS KMS key pending deletion for more information.

  • Step 1: To create the Metric Filter:

    • Navigate to CloudWatch.

    • In the left navigation, click Log Groups and select the desired log group. The log group must be assigned to a multi-region CloudTrail trail that has logging enabled (i.e., is in Logging status).

    • Select Metric filters > Create Metric Filter.

    • In Filter pattern, enter the following: { $.eventSource = kms* && $.errorMessage = "* is pending deletion."}

    • Click Next.

    • For Filter name, type DeletedKMSCMKActivity.

    • For Metric namespace, type CloudTrailLogMetrics.

    • For Metric name, type KMSKeyPendingDeletionErrorCount.

    • For Metric value, type 1.

    • Click Next > Create metric filter.

  • Step 2: To create an Alarm:

    • Check the box next to the newly created metric filter and click Create alarm.

    • Select the Threshold type.

    • Define the alarm condition and threshold value.

    • Click Next.

    • In Alarm state trigger, select In alarm.

    • Select an existing SNS topic, create new topic, or use topic ARN. Note that the SNS topic must have at least one subscriber.

      • If you selected to create a new topic, enter a name in Create a new topic.

      • Enter an email address in Email endpoints that will receive the notification.

      • Click Create topic.

    • Click Next.

    • Enter an Alarm name.

    • Optionally, enter an alarm description.

    • Click Next > Create alarm.


  • Create the metric filter for scheduled deletion of customer managed KMS keys:

    • aws logs put-metric-filter --log-group-name <name> --filter-name <name> --filter-pattern '{ $.eventSource = kms* && $.errorMessage = "* is pending deletion."}' --metric-transformations metricName=<metric name>,metricNamespace=<metric namespace>, metricValue=1,defaultValue=0

  • Create the alarm:

    • aws cloudwatch put-metric-alarm --alarm-name <name> --metric-name <name> --namespace <namespace> --statistic <value> --evaluation-periods <value> --period <value> --threshold <value> --comparison-operator <value> --alarm-actions <arn of topic>