AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
CMK Disabled or Scheduled for Deletion Alarm
More Info:
AWS CMK configuration changes should be monitored using CloudWatch alarms.
Risk Level
Medium
Address
Security
Compliance Standards
HIPAA, ISO27001, CISAWS, CBP, NISTCSF
Triage and Remediation
Remediation
To remediate the CMK Disabled or Scheduled for Deletion alarm in AWS using the AWS console, you can follow the below steps:
-
Login to your AWS account and navigate to the AWS KMS console.
-
Click on the “Customer managed keys” option from the left-hand side menu.
-
Identify the key that is disabled or scheduled for deletion.
-
To enable a disabled key, select the key and click on the “Enable” button from the top menu.
-
To cancel the scheduled deletion of a key, select the key and click on the “Cancel key deletion” button from the top menu.
-
After completing the above steps, verify that the key status has changed to “Enabled” or “Pending import” and the alarm should automatically clear.
-
If the alarm does not clear, check the SNS topic that is associated with the alarm to ensure that it is configured correctly.
By following these steps, you can remediate the CMK Disabled or Scheduled for Deletion alarm in AWS using the AWS console.
The CMK (Customer Master Key) Disabled or Scheduled for Deletion alarm indicates that a CMK in AWS has been disabled or scheduled for deletion. This misconfiguration can lead to data loss or unauthorized access to encrypted data. Here are the steps to remediate this issue using AWS CLI:
- Identify the CMK that has been disabled or scheduled for deletion. You can use the following command to list all the CMKs in your AWS account:
aws kms list-keys
- Check the status of each CMK to identify the one that has been disabled or scheduled for deletion. You can use the following command to describe the key state of a CMK:
aws kms describe-key --key-id <key-id>
Replace <key-id>
with the ID of the CMK that you want to check.
- Reactivate the disabled CMK or cancel the scheduled deletion of the CMK. You can use the following command to enable a disabled CMK:
aws kms enable-key --key-id <key-id>
Replace <key-id>
with the ID of the disabled CMK that you want to enable.
- If the CMK has been scheduled for deletion, you can cancel the deletion using the following command:
aws kms cancel-key-deletion --key-id <key-id>
Replace <key-id>
with the ID of the CMK that you want to cancel the deletion for.
- Verify that the CMK is active and not scheduled for deletion. You can use the following command to describe the key state of the CMK again:
aws kms describe-key --key-id <key-id>
Replace <key-id>
with the ID of the CMK that you want to verify.
Once you have completed these steps, the CMK Disabled or Scheduled for Deletion alarm should be resolved. It is recommended to regularly monitor your AWS account for this type of misconfiguration and take necessary actions to remediate it.
To remediate the CMK Disabled or Scheduled for Deletion Alarm in AWS using Python, you can follow the below steps:
-
First, you need to check the status of the CMK using the
describe_key
method of the AWS KMS client. This method returns the metadata for the specified customer master key (CMK).import boto3 # Create a KMS client kms = boto3.client('kms') # Get the CMK metadata key_id = 'your-cmk-id' key_metadata = kms.describe_key(KeyId=key_id)
-
Check the
KeyState
attribute of the CMK metadata. If it is set toDisabled
orPendingDeletion
, then the CMK is disabled or scheduled for deletion.key_state = key_metadata['KeyMetadata']['KeyState'] if key_state == 'Disabled': # Enable the CMK kms.enable_key(KeyId=key_id) print('CMK enabled successfully.') elif key_state == 'PendingDeletion': # Cancel the scheduled deletion of the CMK kms.cancel_key_deletion(KeyId=key_id) print('Scheduled deletion of CMK cancelled successfully.') else: print('CMK is already enabled and not scheduled for deletion.')
-
If the
KeyState
attribute is not set toDisabled
orPendingDeletion
, then the CMK is already enabled and not scheduled for deletion.else: print('CMK is already enabled and not scheduled for deletion.')
By following these steps, you can remediate the CMK Disabled or Scheduled for Deletion Alarm in AWS using Python.