MEDIUM CloudWatch · CIS 4.7

CMK disable/deletion alarm

Check ID: aws-cw-007

AWS-CW-007 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks if a CloudWatch metric filter and alarm exist to detect KMS Customer Master Key disabling or scheduled deletion. Without this monitoring, encryption key destruction goes undetected.

Why it matters

Disabling or deleting a KMS key makes all data encrypted with that key permanently unrecoverable. This is the cloud equivalent of destroying the master key to a vault. Ransomware attackers specifically target KMS keys to create maximum damage: they schedule key deletion (which has a minimum 7-day waiting period), then demand payment before the waiting period expires. During the 2022 wave of cloud ransomware attacks, attackers deleted KMS keys to make RDS snapshots, S3 objects, and EBS volumes permanently inaccessible. Real-time alerting on ScheduleKeyDeletion gives security teams the 7-30 day window to cancel the deletion before data is lost. The DisableKey action is equally dangerous because it immediately prevents any decryption operations.

Common causes

KMS key management is often spread across multiple teams, and no single team monitors for deletion events. Terraform destroy operations can accidentally schedule key deletion if the key resource is not protected with lifecycle prevent_destroy. Developers testing in non-production environments may delete keys without realizing the pattern is not monitored in production.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

# Create metric filter:
aws logs put-metric-filter \
  --log-group-name <CLOUDTRAIL_LOG_GROUP> \
  --filter-name CIS-4.7 \
  --filter-pattern '{ ($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey) || ($.eventName=ScheduleKeyDeletion)) }' \
  --metric-transformations metricName=CIS-4-7,metricNamespace=CISBenchmark,metricValue=1
# Create alarm:
aws cloudwatch put-metric-alarm \
  --alarm-name CIS-4.7 \
  --metric-name CIS-4-7 \
  --namespace CISBenchmark \
  --statistic Sum --period 300 --threshold 1 \
  --comparison-operator GreaterThanOrEqualToThreshold \
  --evaluation-periods 1 \
  --alarm-actions <SNS_TOPIC_ARN>

Remediation: Terraform

resource "aws_cloudwatch_log_metric_filter" "cis_4_7" {
  name           = "CIS-4.7"
  log_group_name = aws_cloudwatch_log_group.cloudtrail.name
  pattern        = "{ ($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey) || ($.eventName=ScheduleKeyDeletion)) }"

  metric_transformation {
    name      = "CIS-4-7"
    namespace = "CISBenchmark"
    value     = "1"
  }
}

resource "aws_cloudwatch_metric_alarm" "cis_4_7" {
  alarm_name          = "CIS-4.7"
  metric_name         = "CIS-4-7"
  namespace           = "CISBenchmark"
  statistic           = "Sum"
  period              = 300
  threshold           = 1
  comparison_operator = "GreaterThanOrEqualToThreshold"
  evaluation_periods  = 1
  alarm_actions       = [aws_sns_topic.alerts.arn]
}

Compliance mapping

This check maps to CIS 4.7 in the CIS AWS Foundations Benchmark. The CIS Benchmark provides prescriptive guidance for configuring security options for a subset of AWS services.

This check is part of cloud-audit - install with pip install cloud-audit

Related article

CIS AWS v3.0 in 60 Seconds: Automate Compliance with Terraform →

Related CloudWatch checks

HIGH aws-cw-001

Root account usage alarm

MEDIUM aws-cw-002

Unauthorized API calls alarm

MEDIUM aws-cw-003

Console sign-in without MFA alarm

← All checks