This rule ensures that KMS keys are not in a pending deletion state.
Rule | KMS keys should not be pending deletion |
Framework | NIST 800-53 Revision 5 |
Severity | ✔ High |
Rule Description:
According to NIST 800-53 Revision 5, KMS (Key Management Service) keys should not be left in a "pending deletion" state. This rule ensures that KMS keys are properly managed and maintained in a secure manner, preventing any potential security risks.
Troubleshooting Steps:
Identify pending deletion keys:
aws kms list-keys
Verify if the pending deletion is intentional:
Determine the reason for pending deletion:
Remediation Steps:
Cancel pending deletion:
Replaceaws kms cancel-key-deletion --key-id <key-id>
<key-id>
with the actual ID of the key.Verify the cancellation:
Ensure that the "KeyState" is no longer listed as "PendingDeletion" but instead reflects an active state.aws kms describe-key --key-id <key-id>
Document the remediation:
Review key management procedures:
Monitor and audit KMS key status:
Train key administrators:
Conclusion:
By following the above remediation steps, you can ensure that KMS keys are not left in a "pending deletion" state, aligning with the NIST 800-53 Revision 5 guidelines. Regular monitoring and proper key management procedures will help maintain a secure and well-controlled KMS environment.