Profile Applicability:
Level 2
Description:
AWS CloudTrail enables real-time monitoring of API calls by logging events to CloudWatch Logs or an external SIEM. This control ensures that customer-managed KMS keys (CMKs) that are disabled or scheduled for deletion are monitored to prevent accidental data loss or security risks.
Key Management Service (KMS) Customer-Managed Keys (CMKs)
CMKs are cryptographic keys created and controlled by the user.
If a CMK is disabled or deleted, data encrypted using the key becomes inaccessible.
Monitoring DisableKey and ScheduleKeyDeletion API calls helps ensure that keys are not accidentally or maliciously disabled/deleted.
Rationale:
Monitoring CMK state changes helps prevent:
Accidental key disablement or deletion leading to loss of access to encrypted data.
Malicious attempts to disable encryption keys and compromise data security.
Regulatory non-compliance, as key management is critical for compliance with SOC 2, HIPAA, PCI DSS, and GDPR.
Impact:
If a key is disabled or deleted, encrypted data becomes inaccessible.
Monitoring these events ensures immediate alerts to prevent business disruptions.
AWS KMS costs may apply for storing and managing CMKs.
Default Value:
AWS does not monitor CMK state changes by default.
CloudTrail logs these changes, but CloudWatch Alarms and SNS notifications must be configured manually.
Pre-Requisites:
AWS CloudTrail enabled with multi-region logging.
AWS CloudWatch Logs enabled and linked to CloudTrail.
IAM Permissions Required:
cloudtrail:DescribeTrails
cloudtrail:GetEventSelectors
logs:DescribeMetricFilters
cloudwatch:DescribeAlarms
sns:ListSubscriptionsByTopic
logs:PutMetricFilter, cloudwatch:PutMetricAlarm, sns:CreateTopic
Remediation:
Test Plan:
Using AWS Console
Login to the AWS Management Console.
Navigate to CloudTrail: AWS CloudTrail Console.
Verify there is at least one multi-region CloudTrail trail enabled.
Ensure CloudTrail is logging management events:
Click on the trail and check Event Selectors.
Ensure management events are set to "All".
Check that CloudTrail logs are being sent to CloudWatch.
Navigate to CloudWatch Logs: AWS CloudWatch Console.
Ensure that a metric filter is created for CMK disablement or deletion.
Check CloudWatch Alarms for alerts on CMK state changes.
Implementation Steps:
Using AWS CLI
Step 1: Create a Metric Filter for CMK Disablement or Deletion
aws logs put-metric-filter --log-group-name <trail-log-group-name> \
--filter-name disable-or-delete-cmk-changes-metric \
--metric-transformations metricName=disable-or-delete-cmk-changes-metric,metricNamespace="CISBenchmark",metricValue=1 \
--filter-pattern '{ ($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey) || ($.eventName=ScheduleKeyDeletion)) }'Step 2: Create an SNS Topic for Notifications
aws sns create-topic --name disable-or-delete-cmk-changes-alerts
Step 3: Subscribe to SNS Topic
aws sns subscribe --topic-arn <sns-topic-arn> --protocol email --notification-endpoint <your-email@example.com>
Step 4: Create a CloudWatch Alarm for CMK Disablement or Deletion
aws cloudwatch put-metric-alarm --alarm-name disable-or-delete-cmk-changes-alarm \ --metric-name disable-or-delete-cmk-changes-metric --statistic Sum --period 300 \ --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold \ --evaluation-periods 1 --namespace "CISBenchmark" --alarm-actions <sns-topic-arn>
Backout Plan:
Delete CloudWatch Alarm:
aws cloudwatch delete-alarms --alarm-names disable-or-delete-cmk-changes-alarm
Remove the metric filter:
aws logs delete-metric-filter --log-group-name <trail-log-group-name> --filter-name disable-or-delete-cmk-changes-metric
Delete SNS topic:
aws sns delete-topic --topic-arn <sns-topic-arn>