Skip to main content

More Info:

AWS CMK configuration changes should be monitored using CloudWatch alarms.

Risk Level

Medium

Address

Security

Compliance Standards

HIPAA, ISO27001, CISAWS, CBP, NISTCSF

Triage and Remediation

Remediation

Using Console

To remediate the CMK Disabled or Scheduled for Deletion alarm in AWS using the AWS console, you can follow the below steps:
  1. Login to your AWS account and navigate to the AWS KMS console.
  2. Click on the “Customer managed keys” option from the left-hand side menu.
  3. Identify the key that is disabled or scheduled for deletion.
  4. To enable a disabled key, select the key and click on the “Enable” button from the top menu.
  5. To cancel the scheduled deletion of a key, select the key and click on the “Cancel key deletion” button from the top menu.
  6. After completing the above steps, verify that the key status has changed to “Enabled” or “Pending import” and the alarm should automatically clear.
  7. If the alarm does not clear, check the SNS topic that is associated with the alarm to ensure that it is configured correctly.
By following these steps, you can remediate the CMK Disabled or Scheduled for Deletion alarm in AWS using the AWS console.

The CMK (Customer Master Key) Disabled or Scheduled for Deletion alarm indicates that a CMK in AWS has been disabled or scheduled for deletion. This misconfiguration can lead to data loss or unauthorized access to encrypted data. Here are the steps to remediate this issue using AWS CLI:
  1. Identify the CMK that has been disabled or scheduled for deletion. You can use the following command to list all the CMKs in your AWS account:
aws kms list-keys
  1. Check the status of each CMK to identify the one that has been disabled or scheduled for deletion. You can use the following command to describe the key state of a CMK:
aws kms describe-key --key-id <key-id>
Replace <key-id> with the ID of the CMK that you want to check.
  1. Reactivate the disabled CMK or cancel the scheduled deletion of the CMK. You can use the following command to enable a disabled CMK:
aws kms enable-key --key-id <key-id>
Replace <key-id> with the ID of the disabled CMK that you want to enable.
  1. If the CMK has been scheduled for deletion, you can cancel the deletion using the following command:
aws kms cancel-key-deletion --key-id <key-id>
Replace <key-id> with the ID of the CMK that you want to cancel the deletion for.
  1. Verify that the CMK is active and not scheduled for deletion. You can use the following command to describe the key state of the CMK again:
aws kms describe-key --key-id <key-id>
Replace <key-id> with the ID of the CMK that you want to verify.Once you have completed these steps, the CMK Disabled or Scheduled for Deletion alarm should be resolved. It is recommended to regularly monitor your AWS account for this type of misconfiguration and take necessary actions to remediate it.
To remediate the CMK Disabled or Scheduled for Deletion Alarm in AWS using Python, you can follow the below steps:
  1. First, you need to check the status of the CMK using the describe_key method of the AWS KMS client. This method returns the metadata for the specified customer master key (CMK). 
    import boto3

# Create a KMS client
kms = boto3.client('kms')

# Get the CMK metadata
key_id = 'your-cmk-id'
key_metadata = kms.describe_key(KeyId=key_id)
  2. Check the KeyState attribute of the CMK metadata. If it is set to Disabled or PendingDeletion, then the CMK is disabled or scheduled for deletion. 
    key_state = key_metadata['KeyMetadata']['KeyState']

if key_state == 'Disabled':
    # Enable the CMK
    kms.enable_key(KeyId=key_id)
    print('CMK enabled successfully.')
elif key_state == 'PendingDeletion':
    # Cancel the scheduled deletion of the CMK
    kms.cancel_key_deletion(KeyId=key_id)
    print('Scheduled deletion of CMK cancelled successfully.')
else:
    print('CMK is already enabled and not scheduled for deletion.')
  3. If the KeyState attribute is not set to Disabled or PendingDeletion, then the CMK is already enabled and not scheduled for deletion. 
    else:
    print('CMK is already enabled and not scheduled for deletion.')
By following these steps, you can remediate the CMK Disabled or Scheduled for Deletion Alarm in AWS using Python.

Additional Reading: