iCompaas Support

Profile Applicability:

• Level 1

Description:

This control ensures that AWS CloudTrail log data is monitored for any event where customer-managed AWS Key Management Service (KMS) Customer Master Keys (CMKs) are disabled or scheduled for deletion. A CloudWatch metric filter and alarm must be created to detect and alert on such events. Monitoring these activities helps prevent the loss of access to encrypted data and ensures encryption keys remain active and secure.

Rationale:

KMS CMKs are critical for data encryption and decryption across AWS services. Disabling or scheduling the deletion of these keys can render encrypted data inaccessible and may indicate unauthorized or accidental actions. Setting up monitoring and alerts ensures immediate awareness of such high-impact changes, allowing administrators to take corrective actions before data loss occurs.

Impact:

• Positive Impact:Provides immediate visibility into potentially destructive key management actions.Helps prevent accidental or unauthorized loss of encryption keys.Strengthens compliance with data protection and encryption requirements.
• Negative Impact:Minor increase in CloudWatch log monitoring and alerting costs.

Default Value:

By default, AWS does not provide a metric filter or alarm for KMS key disabling or deletion. Manual setup is required.

Pre-Requisite:

• CloudTrail must be enabled for all regions.
• CloudTrail logs must be delivered to a CloudWatch Logs group.
• IAM permissions required: logs:PutMetricFilter, cloudwatch:PutMetricAlarm, and cloudwatch:DescribeAlarms.

Remediation

Test Plan

Using AWS Console:

1. Sign in to the AWS Management Console.

2. Navigate to CloudWatch → Logs → Log groups.

3. Locate the CloudTrail log group (typically named /aws/cloudtrail/...).

4. Select Create metric filter.

5. Enter the following filter pattern to detect disabling or scheduled deletion of KMS CMKs:

6. Assign a metric name such as KMSKeyDisableOrDelete.

7. Go to CloudWatch → Alarms → Create alarm.

8. Create an alarm for the KMSKeyDisableOrDelete metric.

9. Set a threshold (e.g., ≥ 1 occurrence within 5 minutes) and configure SNS notifications to alert the security team.

10. Save the configuration.

Implementation Plan

Using AWS Console:

1. Go to CloudWatch → Logs → Log groups.
2. Open the CloudTrail log group.
3. Choose Create metric filter and use the following pattern:
4. Set Metric Name: KMSKeyDisableOrDelete.
5. Create an Alarm:
   • Metric: KMSKeyDisableOrDelete
   • Namespace: CISBenchmark
   • Condition: ≥ 1 in 5 minutes
   • Actions: Send notification to security team via SNS topic (e.g., aws-security-alerts)
6. Save all changes.

Backout Plan

Using AWS Console:

1. Go to CloudWatch → Alarms.

2. Select the KMSKeyDisableOrDeleteAlarm.

3. Choose Actions → Delete.

4. Go to Logs → Metric Filters.

5. Delete the KMSKeyDisableOrDelete filter.

References:

• AWS Key Management Service Documentation
• AWS CloudTrail Documentation
• AWS CloudWatch Documentation