Rule: KMS Keys Should Not Be Pending Deletion

This rule ensures that KMS keys are not in a pending deletion state, maintaining data security.

Rule	KMS keys should not be pending deletion
Framework	CISA-cyber-essentials
Severity	✔ High

Rule Description:

KMS keys should not be in a "pending deletion" state for compliance with CISA Cyber Essentials.

Policy Details:

CISA Cyber Essentials requires all Key Management Service (KMS) keys to be actively in use and not in a "pending deletion" state. This ensures that there are no inactive or decommissioned keys that could be potential security risks.

Troubleshooting Steps:

If you come across a KMS key that is in a "pending deletion" state, follow these troubleshooting steps:

1.

Identify the KMS Key: Determine which KMS key is in the "pending deletion" state. You can obtain a list of all KMS keys using the AWS CLI or AWS Management Console.

2.

Check Key Status: Verify the status of the identified key. If it is indeed in a "pending deletion" state, proceed to the remediation steps.

Remediation Steps:

Option 1: Canceling Key Deletion (Console)

1.

Log in to the AWS Management Console.

2.

Open the Key Management Service (KMS) page.

3.

Click on "Customer managed keys."

4.

Search for the KMS key that is in a "pending deletion" state.

5.

Select the key and click on "Cancel key deletion" from the "Actions" menu.

6.

Confirm the cancellation by clicking on "Cancel key deletion." This will immediately restore the key and make it active again.

Option 2: Canceling Key Deletion (AWS CLI)

1.

Install and configure the AWS CLI if you haven't already.

2.

Open a terminal or command prompt.

3.

Use the following command to cancel the deletion of the KMS key:

aws kms cancel-key-deletion --key-id <key-id>

Replace

<key-id>

with the ID or ARN of the KMS key that is in a "pending deletion" state.

1.

Press Enter to execute the command. This will immediately restore the key and make it active again.

2.

Verify the key status using the AWS Management Console or AWS CLI to ensure the key is no longer in a "pending deletion" state.

Conclusion:

By following the above troubleshooting and remediation steps, you can prevent KMS keys from being in a "pending deletion" state, ensuring compliance with CISA Cyber Essentials. Regularly monitoring and managing the status of KMS keys will help maintain a secure and efficient Key Management Service environment.

Rule: KMS Keys Should Not Be Pending Deletion

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Policy Details:

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Troubleshooting Steps:

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Remediation Steps:

.css-1ekaeh4{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:22px;font-weight:700;margin-top:1rem;margin-bottom:0rem;}Option 1: Canceling Key Deletion (Console)

.css-1ekaeh4{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:22px;font-weight:700;margin-top:1rem;margin-bottom:0rem;}Option 2: Canceling Key Deletion (AWS CLI)

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Conclusion:

Is your System Free of Underlying Vulnerabilities? Find Out Now