Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Ensure a Log Metric Filter and Alarm Rule for CMK Disabling or Deletion

This rule ensures the presence of a log metric filter and alarm for customer created CMKs

RuleEnsure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
Frameworkcis_v150
Severity
Low

Rule Description:

To ensure the security of customer-created customer master keys (CMKs) in the AWS Key Management Service (KMS), a log metric filter and alarm should be set up to detect any instances of disabling or scheduled deletion of CMKs. This rule ensures that any attempts to modify or delete CMKs are immediately captured and alerted upon, allowing for swift action to be taken to prevent unauthorized activities.

Troubleshooting Steps:

If the log metric filter and alarm do not exist, follow the steps below to create them:

  1. 1.
    Verify that you have the necessary permissions to create CloudWatch log metric filters and alarms.
  2. 2.
    Log in to the AWS Management Console.
  3. 3.
    Go to the CloudWatch service.
  4. 4.
    Open the "Log Groups" section.
  5. 5.
    Locate the appropriate log group that contains the logs for the AWS Key Management Service (KMS).
  6. 6.
    Click on the log group to open its details.
  7. 7.
    In the "Actions" dropdown menu, select "Create Metric Filter."
  8. 8.
    Define the following filter pattern:
    • Filter pattern: {($.eventName = DisableKey || $.eventName = ScheduleKeyDeletion) && $.eventSource = kms.amazonaws.com && $.requestParameters.keyId}
    • Example: {($.eventName = DisableKey || $.eventName = ScheduleKeyDeletion) && $.eventSource = kms.amazonaws.com && $.requestParameters.keyId}
  9. 9.
    Click on "Assign Metric" and create a new metric with a meaningful name.
  10. 10.
    Specify the namespace as "CloudTrailMetrics" or any other appropriate namespace.
  11. 11.
    Set the metric value to "1" for each matching log event.
  12. 12.
    Click on "Create Filter" to save the log metric filter.
  13. 13.
    After creating the log metric filter, navigate to the CloudWatch console and select the "Alarms" section.
  14. 14.
    Click on "Create Alarm."
  15. 15.
    Under the "Select metric" section, choose the metric you created in the previous step.
  16. 16.
    Configure the alarm threshold to trigger whenever the metric value is greater than zero.
  17. 17.
    Specify the actions to be taken when the alarm is triggered, such as sending notifications or triggering automated remediation processes.
  18. 18.
    Review and save the alarm configuration.

Code:

The following AWS CloudFormation template can be used to create the necessary resources for the log metric filter and alarm:

Resources:
  CMKLogMetricFilter:
    Type: AWS::Logs::MetricFilter
    Properties:
      LogGroupName: "/aws/kms/your-log-group-name"
      FilterPattern: "{($.eventName = DisableKey || $.eventName = ScheduleKeyDeletion) && $.eventSource = kms.amazonaws.com && $.requestParameters.keyId}"
      MetricTransformations:
        - MetricName: "CMKDisableDeleteMetric"
          ValueType: "Sum"
          Value: "1"
          Namespace: "CloudTrailMetrics"

  CMKLogMetricFilterAlarm:
    Type: AWS::CloudWatch::Alarm
    Properties:
      AlarmName: "CMKDisableDeleteAlarm"
      AlarmDescription: "Alarm for detecting disabling or scheduled deletion of customer created CMKs"
      Namespace: "CloudTrailMetrics"
      MetricName: "CMKDisableDeleteMetric"
      ComparisonOperator: "GreaterThanThreshold"
      Statistic: "SampleCount"
      Threshold: 0
      Period: 300
      EvaluationPeriods: 1
      AlarmActions:
        - "arn:aws:sns:your-sns-topic-arn"

Make sure to replace

"your-log-group-name"
and
"your-sns-topic-arn"
with the actual names of your log group and SNS topic respectively.

Remediation Steps:

If the log metric filter and alarm are triggered, follow these steps to remediate the issue:

  1. 1.
    Review the alarm details to gather information about the CMK that has been disabled or scheduled for deletion.
  2. 2.
    Identify the user or actor responsible for the action and ensure it was authorized.
  3. 3.
    If the action was unauthorized, revoke any associated IAM privileges for the user or actor.
  4. 4.
    Determine the impact of the disabled or scheduled deletion of the CMK.
  5. 5.
    If necessary, restore the CMK from a backup or create a new CMK to replace the disabled or deleted one.
  6. 6.
    Implement additional measures, such as enabling AWS CloudTrail logging and reviewing security best practices, to prevent similar incidents in the future.

Is your System Free of Underlying Vulnerabilities?
Find Out Now