Rule: KMS Keys Should Not Be Pending Deletion
This rule ensures KMS keys are not left in a pending deletion state to maintain security.
| Rule | KMS keys should not be pending deletion |
| Framework | RBI Cyber Security Framework |
| Severity | ✔ High |
Rule Description
According to the RBI (Reserve Bank of India) Cyber Security Framework, it is specified that KMS (Key Management Service) keys should not be in a "pending deletion" state. This rule ensures the security and integrity of cryptographic keys used for data protection and confidentiality.
When a KMS key is in the "pending deletion" state, it means that it has been scheduled for permanent deletion but hasn't been completely removed yet. This can pose a security risk as it leaves the key susceptible to unauthorized access or misuse during this transitional phase.
Troubleshooting Steps
If you find that a KMS key is in the "pending deletion" state, follow the troubleshooting steps below to resolve the issue:
- 1.
Identify the affected KMS key: Use the KMS management console or command-line interface to locate the specific key that is in the "pending deletion" state.
- 2.
Verify if the key is still needed: Check if the key is still required for any ongoing operations or systems. If the key is no longer necessary, it is recommended to proceed with the deletion process. Otherwise, ensure proper migration or rekeying is performed before proceeding.
- 3.
Check for pending actions: Review the key's history and any pending actions related to the key. Resolve any outstanding tasks before attempting to resolve the "pending deletion" status.
- 4.
Cancel deletion request: If the key is still required and the deletion process was initiated by mistake, cancel the deletion request to retain the key. This can be done through the KMS management console or by using appropriate API/CLI commands.
- 5.
Monitor key state: After canceling the deletion request, monitor the key's state to ensure it transitions out of the "pending deletion" status and returns to an active state.
Necessary Codes
Cancel Deletion Request (AWS CLI)
aws kms cancel-key-deletion --key-id <key-id>
Replace
<key-id>Remediation Steps
Follow the step-by-step guide below to remediate the issue and ensure compliance with the RBI Cyber Security Framework:
- 1.
Log in to the AWS Management Console or use the AWS CLI with appropriate credentials.
- 2.
Open the KMS management console.
- 3.
Select "Customer managed keys" from the left-hand menu.
- 4.
Identify the KMS key(s) that are in the "pending deletion" state.
- 5.
Determine if the key is still required:
- If the key is no longer needed, proceed with the permanent deletion process.
- If the key is still required, continue with the next steps.
- 6.
Cancel the deletion request:
- If using the management console:
- Select the key.
- Click on "Cancel key deletion" in the key's "Actions" dropdown menu.
- If using the AWS CLI:
- Run the command
, replacingaws kms cancel-key-deletion --key-id <key-id>
with the identifier of the pending deletion key.<key-id>
- 7.
Monitor the key's state:
- Regularly check the key's state in the AWS KMS management console or use appropriate commands to ensure it transitions out of the "pending deletion" status.
- Once the key is no longer in the "pending deletion" state, it should return to an active and usable state.
- 8.
Follow any additional organization-specific procedures or best practices related to KMS key management and secure key handling.
By following these step-by-step remediation guidelines, you can ensure that KMS keys are not in a "pending deletion" state, thereby complying with the RBI Cyber Security Framework.