Rule: KMS keys should not be pending deletion
This rule ensures that KMS keys are not pending deletion to maintain data security.
| Rule | KMS keys should not be pending deletion |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ High |
Rule Description
The rule states that KMS (Key Management Service) keys should not be in a "pending deletion" state for systems that adhere to the FedRAMP (Federal Risk and Authorization Management Program) Low requirements, Revision 4. This rule ensures that cryptographic keys used for data encryption are not in a state where they can be mistakenly or maliciously deleted, which could lead to data loss or security breaches.
Remediation Steps
Follow these steps to remediate the issue and ensure compliance with the rule:
- 1.
Identify pending deletion keys: Start by identifying any KMS keys that are currently in a "pending deletion" state. This can be accomplished using the AWS Command Line Interface (CLI) or the AWS Management Console.
- 2.
List KMS keys: Use the following AWS CLI command to list all KMS keys:
aws kms list-keysThis command will provide a list of all KMS keys in your account.
- 3.
Check key status: Review the status of each key in the list and identify any keys that are in the "pending deletion" state.
- 4.
Cancel key deletion: To cancel the deletion of a KMS key, use the following AWS CLI command:
aws kms cancel-key-deletion --key-id <key-id>Replace
with the ID of the key you want to cancel the deletion for.<key-id> - 5.
Confirm key status: Verify that the key status changes from "pending deletion" to "enabled" or "disabled" depending on the original state.
- 6.
Repeat for all pending deletion keys: Repeat steps 4 and 5 for each KMS key that is in a "pending deletion" state.
- 7.
Monitor key status: Regularly monitor the status of KMS keys to ensure they are not inadvertently moved to the "pending deletion" state again.
- 8.
Implement safeguards: Consider implementing additional safeguards and access controls to prevent accidental or unauthorized key deletions in the future. This may include restricting key deletion permissions to specific individuals or groups.
Troubleshooting Steps
If you encounter any issues while following the remediation steps, refer to the troubleshooting guide below:
- 1.
Issue: Unable to access AWS CLI or Management Console.
- Troubleshooting: Ensure that you have the necessary permissions to access the AWS CLI or Management Console. Contact your AWS account administrator if you are unsure about your access level.
- 2.
Issue: Unable to list KMS keys.
- Troubleshooting: Ensure that you are using the correct AWS CLI command and that you have the necessary permissions to access KMS keys. Verify that you are running the command in the correct AWS region.
- 3.
Issue: Unable to cancel key deletion.
- Troubleshooting: Confirm that you are using the correct AWS CLI command and providing the correct key ID. Ensure that you have the necessary permissions to modify KMS keys.
- 4.
Issue: Key status does not change after canceling deletion.
- Troubleshooting: Verify that the key ID provided is correct and that there are no ongoing processes or issues preventing the status change. If the issue persists, contact AWS Support for further assistance.
Conclusion
By following the remediation steps outlined above, you will ensure that KMS keys are not in a "pending deletion" state for systems complying with the FedRAMP Low requirements, Revision 4. Regularly monitoring key status and implementing suitable safeguards will help maintain compliance and strengthen the security of your encrypted data.