CloudWatch log metric filter and alarm are not set for disabling or scheduled deletion of customer managed KMS keys Affecting CloudWatch service in AWS

Snyk CCSS

Monitoring / Accounts Monitoring

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

AWS-Well-Architected CIS-AWS CSA-CCM HIPAA ISO-27001 PCI-DSS SOC-2

Snyk ID SNYK-CC-00180
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

A CloudWatch metric filter and alarm should be established for customer managed KMS keys that have changed state to disabled or scheduled deletion. This helps to prevent accidental or unintentional modifications that may lead to data loss. If KMS keys are disabled or deleted then any data encrypted with them will no longer be available.

How to fix?

Create an aws_cloudwatch_log_metric_filter and aws_cloudwatch_metric_alarm with an appropriate pattern attribute set for an aws_cloudwatch_log_group and aws_cloudtrail set of resources.

Use one of the following pattern attribute sets:

$.eventSource=kms.amazonaws.com
$.eventName=DisableKey
$.eventName=ScheduleKeyDeletion

$.eventSource=kms*
$.errorMessage=*ispendingdeletion

cli

Terraform

References

Creating an Amazon CloudWatch alarm to detect usage of an AWS KMS key pending deletion

CloudWatch log metric filter and alarm are not set for disabling or scheduled deletion of customer managed KMS keys Affecting CloudWatch service in AWS

Severity

Description

How to fix?

cli

Terraform

References