Rule: KMS Keys Should Not Be Pending Deletion
This rule mandates that KMS keys should not be in pending deletion status.
| Rule | KMS keys should not be pending deletion |
| Framework | HIPAA |
| Severity | ✔ High |
Rule Description
KMS (Key Management Service) keys should not be in the "pending deletion" state for HIPAA compliance. The "pending deletion" state indicates that the key is scheduled for permanent deletion and is no longer available for use. This rule ensures that all KMS keys remain active and accessible to comply with the security requirements of the Health Insurance Portability and Accountability Act (HIPAA).
Troubleshooting Steps (if applicable)
If you encounter a KMS key in the "pending deletion" state for HIPAA compliance, follow these troubleshooting steps to rectify the issue:
- 1.
Identify the key: Determine the KMS key that is in the "pending deletion" state.
- 2.
Verify the key's status: Confirm if the key is indeed in the "pending deletion" state by accessing the key details.
- 3.
Understand the circumstances: Determine the reason behind the key being in the "pending deletion" state. It could be intentional, accidental, or the result of an error.
- 4.
Check key dependencies: Ensure that there are no resources or applications relying on the key for encryption or decryption purposes.
- 5.
Determine the appropriate action: Based on the circumstances, decide whether the key should be permanently deleted or restored to an active state.
Necessary Codes (if applicable)
If the KMS key needs to be restored to an active state, you may require the AWS CLI (Command Line Interface) to execute the following commands:
- 1.To check the status of a KMS key:
aws kms describe-key --key-id <key-id>
- 1.To cancel the deletion of a KMS key:
aws kms cancel-key-deletion --key-id <key-id>
Step-by-Step Guide for Remediation
To remediate the issue of a KMS key being in the "pending deletion" state for HIPAA compliance, follow these step-by-step instructions:
- 1.
Identify the key:
- Access the AWS Management Console.
- Navigate to the Key Management Service (KMS) section.
- 2.
Verify the key's status:
- Search for the KMS key that is in the "pending deletion" state.
- Click on the key to view its details.
- Confirm if the key is indeed in the "pending deletion" state.
- 3.
Understand the circumstances:
- Investigate why the key is in the "pending deletion" state.
- Determine if it was intentionally scheduled for deletion, accidentally deleted, or if there was an error.
- 4.
Check key dependencies:
- Ensure that no resources or applications rely on the key for encryption or decryption.
- Review any associated AWS services or applications that might use the key.
- If there are dependencies, consider reconfiguring them to use an active key or create a new key if necessary.
- 5.
Determine the appropriate action:
- If the key was scheduled for deletion intentionally and there are no dependencies, proceed with permanent deletion as planned.
- If the key was accidentally deleted or there was an error, proceed with restoring the key to an active state.
- 6.
Remediation for permanent deletion:
- If the decision is to permanently delete the key:
- Confirm the irreversible nature of the action.
- Follow the appropriate deletion procedure as per your organization's policy.
- Document the deletion confirmation for audit purposes.
- 7.
Remediation for restoring an active key:
- If the decision is to restore the key to an active state:
- Utilize the AWS CLI (if required) or the console options to proceed with restoration.
- Execute the necessary commands to cancel the deletion of the key, as mentioned in the "Necessary Codes" section.
- Verify that the key status changes to "active" after successful restoration.
- 8.
Validation:
- Double-check the key's status to ensure it is now in an "active" state.
- Monitor the key status periodically to ensure it remains compliant with HIPAA regulations.
By following these steps, you can ensure that KMS keys are not in the "pending deletion" state, maintaining compliance with HIPAA regulations.