Profile Applicability:

  • Level 2

Description:

Amazon Key Management Service (KMS) provides a centralized way to create and manage encryption keys. Deleting a KMS key can have significant consequences, including data loss or service disruption if the key is actively being used. To ensure that keys are not deleted unintentionally, AWS offers key deletion protection. This SOP outlines the steps to enable and verify KMS key deletion protection and best practices to prevent accidental key deletion.

Rationale:

  • Data Integrity: Deleting KMS keys that are in use can cause a complete loss of access to encrypted data.

  • Prevent Accidental Deletion: Enabling deletion protection ensures that keys are not accidentally deleted, safeguarding the critical encryption infrastructure.

  • Operational Continuity: By preventing key deletion, you ensure that services that rely on the encryption keys continue to function without interruptions.

Impact:

Pros:

  • Enhanced Data Protection: Protects encryption keys from being deleted inadvertently, ensuring continuous access to encrypted data.

  • Security and Compliance: Helps maintain compliance with data protection and encryption standards that require proper management of encryption keys.

  • Business Continuity: Prevents operational issues related to lost access to encrypted resources.

Cons:

  • Management Overhead: Enabling deletion protection may require additional steps when a key truly needs to be deleted, which could delay the decommissioning of unused keys.

  • Potential for Mismanagement: If key deletion protection is not removed when necessary, the key might persist even when it is no longer required, increasing the complexity of key management.

Default Value:

By default, KMS CMKs are not configured with deletion protection enabled. You need to enable this setting when creating or managing KMS keys to prevent accidental deletion.

Pre-requisite:

  • AWS IAM Permissions:

    • kms:DescribeKey

    • kms:PutKeyPolicy

    • kms:CreateKey

    • kms:EnableKeyDeletion

  • AWS CLI installed and configured.

  • Ensure that KMS CMKs are being used to encrypt critical data or services that need to be protected from accidental key deletion.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to AWS KMS under Services.

  3. In the KMS Dashboard, go to Customer Managed Keys.

  4. For each KMS CMK, verify if deletion protection is enabled by checking the Key Metadata section.

    • If deletion protection is enabled, you will see that Key Deletion is disabled.

  5. If deletion protection is not enabled, proceed to enable it to avoid accidental deletion.

Using AWS CLI:

  1. To check if deletion protection is enabled for a KMS CMK, run:

    aws kms describe-key --key-id <key-id> --query 'KeyMetadata.DeletionProtection'

  2. If the output shows false, then deletion protection is not enabled for that CMK.

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to KMS.

  2. In the KMS Dashboard, under Customer Managed Keys, select the key you want to enable protection for.

  3. In the Key Metadata section, look for Deletion Protection. If it's not enabled, click on Enable Deletion Protection.

  4. Confirm the action to ensure that the CMK cannot be deleted unintentionally.

Using AWS CLI:

  1. To enable deletion protection for a KMS CMK, run the following command:

    aws kms enable-key-deletion --key-id <key-id> --pending-window-in-days 30

  2. This command enables deletion protection for the CMK and ensures the key cannot be deleted for 30 days unless deletion protection is removed.

  3. To verify if deletion protection is enabled, run:

    aws kms describe-key --key-id <key-id> --query 'KeyMetadata.DeletionProtection'

  4. The output should show true if deletion protection is enabled.

Backout Plan:

Using AWS Console:

  1. If enabling deletion protection causes issues, sign in to the AWS Management Console.

  2. Navigate to Key Management Service (KMS), select the KMS key, and go to the Key details section.

  3. Click Edit and disable deletion protection.

  4. Save the changes and verify that deletion protection is now disabled.

Using AWS CLI:

  1. To disable deletion protection for a KMS key, run:

    aws kms disable-key-deletion --key-id <KEY_ID>

  2. Verify that deletion protection has been disabled:

    aws kms describe-key --key-id <KEY_ID>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.