CloudWatch log metric filter and alarm for disabling or scheduled deletion of KMS CMKs should be configured


A CloudWatch metric filter and alarm should be established for customer-created Customer Master Keys (CMKs) that have changed state to disabled or scheduled deletion. This helps to prevent accidental or unintentional modifications that may lead to data loss. If CMKs are disabled or deleted then any data encrypted with them will no longer be available.

Console Remediation Steps

This is a two part process. First, you create a Metric Filter for specific CloudTrail log events. Next, you create a CloudWatch alarm for the filter. See Creating an Amazon CloudWatch Alarm to Detect Usage of a Customer Master Key that is Pending Deletion for more information.

  • Step 1: To create the Metric Filter:

    • Navigate to CloudWatch.

    • In the left navigation, click Log Groups and select the desired log group. The log group must be assigned to a multi-region CloudTrail trail that has logging enabled (i.e., is in Logging status).

    • Select Metric filters > Create Metric Filter.

    • In Filter pattern, enter the following: { $.eventSource = kms* && $.errorMessage = "* is pending deletion."}

    • Click Next.

    • For Filter name, type DeletedKMSCMKActivity.

    • For Metric namespace, type CloudTrailLogMetrics.

    • For Metric name, type KMSKeyPendingDeletionErrorCount.

    • For Metric value, type 1.

    • Click Next > Create metric filter.

  • Step 2: To create an Alarm:

    • Check the box next to the newly created metric filter and click Create alarm.

    • Select the Threshold type.

    • Define the alarm condition and threshold value.

    • Click Next.

    • In Alarm state trigger, select In alarm.

    • Select an existing SNS topic, create new topic, or use topic ARN. Note that the SNS topic must have at least one subscriber.

      • If you selected to create a new topic, enter a name in Create a new topic.

      • Enter an email address in Email endpoints that will receive the notification.

      • Click Create topic.

    • Click Next.

    • Enter an Alarm name.

    • Optionally, enter an alarm description.

    • Click Next > Create alarm.

CLI Remediation Steps

  • Create the metric filter for scheduled deletion of customer created CMKs:

    • aws logs put-metric-filter --log-group-name <name> --filter-name <name> --filter-pattern '{ $.eventSource = kms* && $.errorMessage = "* is pending deletion."}' --metric-transformations metricName=<metric name>,metricNamespace=<metric namespace>, metricValue=1,defaultValue=0

  • Create the alarm:

    • aws cloudwatch put-metric-alarm --alarm-name <name> --metric-name <name> --namespace <namespace> --statistic <value> --evaluation-periods <value> --period <value> --threshold <value> --comparison-operator <value> --alarm-actions <arn of topic>