This rule ensures the presence of a log metric filter and alarm for customer created CMKs
Rule | Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs |
Framework | cis_v150 |
Severity | ✔ Low |
Rule Description:
To ensure the security of customer-created customer master keys (CMKs) in the AWS Key Management Service (KMS), a log metric filter and alarm should be set up to detect any instances of disabling or scheduled deletion of CMKs. This rule ensures that any attempts to modify or delete CMKs are immediately captured and alerted upon, allowing for swift action to be taken to prevent unauthorized activities.
Troubleshooting Steps:
If the log metric filter and alarm do not exist, follow the steps below to create them:
Code:
The following AWS CloudFormation template can be used to create the necessary resources for the log metric filter and alarm:
Resources:
CMKLogMetricFilter:
Type: AWS::Logs::MetricFilter
Properties:
LogGroupName: "/aws/kms/your-log-group-name"
FilterPattern: "{($.eventName = DisableKey || $.eventName = ScheduleKeyDeletion) && $.eventSource = kms.amazonaws.com && $.requestParameters.keyId}"
MetricTransformations:
- MetricName: "CMKDisableDeleteMetric"
ValueType: "Sum"
Value: "1"
Namespace: "CloudTrailMetrics"
CMKLogMetricFilterAlarm:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmName: "CMKDisableDeleteAlarm"
AlarmDescription: "Alarm for detecting disabling or scheduled deletion of customer created CMKs"
Namespace: "CloudTrailMetrics"
MetricName: "CMKDisableDeleteMetric"
ComparisonOperator: "GreaterThanThreshold"
Statistic: "SampleCount"
Threshold: 0
Period: 300
EvaluationPeriods: 1
AlarmActions:
- "arn:aws:sns:your-sns-topic-arn"
Make sure to replace
"your-log-group-name"
and "your-sns-topic-arn"
with the actual names of your log group and SNS topic respectively.Remediation Steps:
If the log metric filter and alarm are triggered, follow these steps to remediate the issue: