Skip to main content

AWS KMS customer managed key disabled or scheduled for deletion

ID:aws_kms_key_disruption
Data type:AWS CloudTrail
Severity:
Low
MITRE ATT&CK:TA0040:T1485

Description

AlphaSOC detected that an AWS Key Management Service (KMS) customer managed key has been unexpectedly disabled or scheduled for deletion. This action can indicate an attempt to compromise the integrity of data. Adversaries may disable or delete encryption keys to prevent access to encrypted data, possibly as part of a broader attack strategy to disrupt operations or destroy data. Actions initiated by infrastructure-as-code (IaC) tools and AWS services are exempt from the detection to avoid false positives.

Impact

Disabling or deleting KMS keys may render encrypted data inaccessible, disrupt critical business operations, and compromise compliance with data privacy regulations. It can also affect the functionality of AWS services that rely on the affected keys for encryption, such as Elastic Block Store (EBS), Simple Storage Service (S3), and Relational Database Service (RDS).

Severity

SeverityCondition
Low
KMS key unexpectedly disabled or scheduled for deletion

Investigation and Remediation

Investigate the circumstances surrounding the key deactivation or deletion. Verify if this was an authorized action. If unauthorized, identify the user responsible and their access path. Review AWS CloudTrail logs for associated activities. If the key was inadvertently disabled, re-enable it. For scheduled deletions, cancel if unintended. Assess any affected data and restore from backups if necessary.

Known False Positives

  • Routine key rotation procedures involving disabling old keys