Unexpected GCP API calls indicating KMS key destroyed
Description
AlphaSOC detected that a Google Cloud KMS cryptographic key version was scheduled for destruction. Once destroyed, any data encrypted with this key becomes permanently irrecoverable. This activity may indicate ransomware attacks, insider threats, or attempts to cause data loss.
Impact
Destruction of KMS keys results in permanent data loss for all data encrypted with those keys. This can include databases, storage buckets, secrets, and other critical data. Attackers may destroy keys as part of ransomware attacks or to cause maximum damage during an incident.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review GCP audit logs for the DestroyCryptoKeyVersion action. Identify the key
ring, key, and key version affected. Determine which principal initiated the
destruction and verify authorization.
If unauthorized, immediately cancel the scheduled destruction before the waiting period expires. GCP KMS has a minimum 24-hour waiting period before keys are actually destroyed. Rotate credentials for the compromised identity and audit all KMS operations. Implement IAM policies to restrict key destruction permissions.
Known False Positives
- Scheduled key rotation with old key version cleanup
- Compliance-driven key retirement processes
- Development environment cleanup activities