Rule: KMS keys should not be pending deletion
This rule ensures that KMS keys are not left pending deletion to maintain security standards.
| Rule | KMS keys should not be pending deletion |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ High |
Rule Description:
KMS (Key Management Service) keys in an organization's AWS (Amazon Web Services) account should not be in a "pending deletion" status. This rule is in compliance with the security requirements outlined in NIST (National Institute of Standards and Technology) 800-53 Revision 5, a widely recognized security framework.
Troubleshooting Steps:
If any KMS keys are found to be in a "pending deletion" status, follow these troubleshooting steps to remediate the issue:
- 1.
Identify Pending Deletion KMS Keys: Review the list of KMS keys in your AWS account and identify the ones that are in a "pending deletion" status. Use the AWS Management Console, AWS CLI (Command Line Interface), or AWS SDKs (Software Development Kits) to list the KMS keys and their current status.
- 2.
Check for Dependencies: Before taking any actions, ensure that the KMS key is not being used by any resources or services within your AWS infrastructure. Identifying and addressing any dependencies is crucial to prevent unintended disruptions.
- 3.
Delay or Cancel Deletion: If you have confirmed that the KMS key is no longer required to protect any sensitive data, you can either delay or cancel the deletion process.
Delay Deletion: To postpone the deletion of a KMS key, use the AWS CLI with the
command, specifying the number of days to delay the deletion. For example:schedule-key-deletionaws kms schedule-key-deletion --key-id <KMS_KEY_ID> --pending-window-in-days <NUMBER_OF_DAYS>Cancel Deletion: To cancel the deletion of a KMS key entirely, use the AWS CLI with the
command, passing the key ID. For example:cancel-key-deletionaws kms cancel-key-deletion --key-id <KMS_KEY_ID>
- 4.
Monitor Action: After delaying or canceling the deletion, monitor the KMS key to ensure it remains in an active state and does not re-enter the "pending deletion" status. If needed, take appropriate action to prevent unintentional deletion in the future.
Additional Considerations:
- Regularly review the list of KMS keys in your AWS account to identify any potential issues promptly.
- Implement proper access controls and permissions to prevent unauthorized deletion of KMS keys.
- Follow AWS best practices for key management and rotate keys periodically to bolster security.
Note: The above steps are generic troubleshooting steps. Please consult the official AWS documentation and NIST 800-53 Revision 5 for specific guidance tailored to your organization's requirements and environment.