AWS KMS customer managed key disabled or scheduled for deletion
Description
AlphaSOC detected that an AWS Key Management Service (KMS) customer managed key has been unexpectedly disabled or scheduled for deletion. This action can indicate an attempt to compromise the integrity of data. Adversaries may disable or delete encryption keys to prevent access to encrypted data, possibly as part of a broader attack strategy to disrupt operations or destroy data. Actions initiated by infrastructure-as-code (IaC) tools and AWS services are exempt from the detection to avoid false positives.
Impact
Disabling or deleting KMS keys may render encrypted data inaccessible, disrupt critical business operations, and compromise compliance with data privacy regulations. It can also affect the functionality of AWS services that rely on the affected keys for encryption, such as Elastic Block Store (EBS), Simple Storage Service (S3), and Relational Database Service (RDS).
Severity
Severity | Condition |
---|---|
Low | KMS key unexpectedly disabled or scheduled for deletion |
Investigation and Remediation
Investigate the circumstances surrounding the key deactivation or deletion. Verify if this was an authorized action. If unauthorized, identify the user responsible and their access path. Review AWS CloudTrail logs for associated activities. If the key was inadvertently disabled, re-enable it. For scheduled deletions, cancel if unintended. Assess any affected data and restore from backups if necessary.
Known False Positives
- Routine key rotation procedures involving disabling old keys