Rule: KMS Keys Should Not Be Pending Deletion
This rule states that KMS keys should not be left in a pending deletion state.
| Rule | KMS keys should not be pending deletion |
| Framework | GxP 21 CFR Part 11 |
| Severity | ✔ High |
Rule Description:
KMS (Key Management Service) keys should not be in a "pending deletion" state for GxP 21 CFR Part 11 compliance. The "pending deletion" state indicates that the key is scheduled for permanent deletion and can no longer be used for encryption or decryption of data. This rule ensures that KMS keys, which are used to protect sensitive data, are not inadvertently deleted, causing data loss or regulatory non-compliance.
Troubleshooting Steps:
If a KMS key is found to be in a "pending deletion" state, the following troubleshooting steps can be followed:
- 1.
Verify the key's status: Check the current status of the KMS key by using the AWS Management Console, AWS CLI (Command Line Interface), or AWS SDKs (Software Development Kits). Confirm if the key is indeed in the "pending deletion" state.
- 2.
Identify the reason for the "pending deletion": Determine the root cause for the key being in this state. It could be intentional, accidental, or initiated by another user or process.
- 3.
Assess the impact: Understand the consequences of deleting the key. Evaluate the potential data loss, impact on applications or services that rely on the key, and compliance implications.
- 4.
Determine key recovery options: If the key is needed for ongoing operations or compliance, verify if the key can be recovered or restored from backup. Identify any available options for key recovery.
- 5.
Address the root cause: If the key was accidentally put into the "pending deletion" state, investigate how this occurred and take steps to prevent similar incidents in the future.
Necessary Codes:
No specific codes are required for this rule. Troubleshooting and remediation steps can be performed using the AWS Management Console, AWS CLI, or AWS SDKs.
Remediation Steps:
To remediate the issue of a KMS key being in a "pending deletion" state, follow these steps:
- 1.
Verify the key status: Log in to the AWS Management Console or use the AWS CLI/SDKs to confirm the key is in "pending deletion" status.
- 2.
Assess the impact: Understand the consequences of deleting the key. Consider the data encrypted with the key, applications or services that depend on it, and compliance requirements.
- 3.
Recover the key (if possible): If key recovery is necessary, check if a backup or snapshot of the key exists. Restore the key from the backup using appropriate AWS services or tools.
- 4.
Disable key deletion protection (optional): If the key was accidentally put into "pending deletion" state, consider enabling key deletion protection for future prevention. This ensures critical keys cannot be deleted without explicit action from authorized users.
- 5.
Communicate and document: After resolving the issue, communicate the incident to relevant stakeholders and document the root cause and remediation steps taken. Ensure compliance records are updated accordingly.
Remember to follow any internal policies and procedures specific to your organization throughout the remediation process.
Note: The exact commands and steps may vary based on the AWS service versions and tools used. Please refer to the AWS documentation or consult your organization's internal resources for the most accurate and up-to-date information.