AWS-KMS-CMK-deletion-allowed-to-other-principal

Severity: High

Description: This control ensures no Principal other than the AWS account's root user has permissions to delete the CMK. Deleting CMK results in the deletion of the associated key material and metadata. If the effect radius is not monitored correctly, deleting a CMK could lead to the unavailability of data as any data encrypted with this key cannot be decrypted. To prevent such cases, a waiting period is enforced by AWS during which the key remains in Pending for Deletion state and can be recovered. During this, most of the functional use of the key such as encryption and decryption is unavailable.

Remediation Steps:

Perform following to assign root user of the account as owner of the key :

1. Login to the AWS Management Console at https://console.aws.amazon.com.

2. Navigate to KMS console.

3. Select the appropriate region from the top right corner.

4. In the navigation pane, choose Customer managed keys, and then choose the CMK that you want to modify.

5. Navigate to Key policy and click Switch to policy view. Click Edit.

6. Remove "kms:ScheduleKeyDeletion" privilege from any Principal other than the AWS account's root user.

Important:

Reference:

• Delete an AWS KMS keys - AWS Key Management Service