GCP API calls indicating KMS key disabled
Description
AlphaSOC detected that a Google Cloud KMS cryptographic key version was disabled. Disabled keys cannot be used for cryptographic operations, which may disrupt services relying on the key. This action may indicate preparation for key destruction or an attempt to render encrypted data inaccessible as part of a ransomware attack.
Impact
Disabling KMS keys can disrupt applications and services that depend on encryption operations. If backups or critical data are encrypted with the disabled key, they become temporarily inaccessible. This technique may be used as a precursor to key destruction, which would permanently render encrypted data unrecoverable.
Severity
| Severity | Condition |
|---|---|
Low | KMS key disabled by user for first time |
Investigation and Remediation
Identify the key that was disabled and determine which services or data depend on it. Verify the identity of the user who disabled the key and confirm the action was authorized. If unauthorized, re-enable the key immediately and investigate the user's account for signs of compromise. Review other KMS keys for similar unauthorized modifications.
Known False Positives
- Legitimate key rotation procedures
- Decommissioning of deprecated encryption keys
- Compliance requirements for key lifecycle management