AWS-KMS-CMK-deletion-set

Severity: Medium

Description: This control ensures no required CMK is marked for deletion. The deletion of AWS KMS CMK is destructive in nature. Deleting CMK results in the deletion of the associated key material and the associated metadata. If the effect radius is not monitored correctly, deleting a CMK could lead to the unavailability of data as any data encrypted with this key cannot be decrypted. To prevent such cases, a waiting period is enforced by AWS during which the key remains in Pending for Deletion state and can be recovered. During this, most of the functional use of the key such as encryption and decryption is unavailable.

Remediation Steps:

Perform following to remove deletion for CMK :

1. Login to the AWS Management Console at https://console.aws.amazon.com.

2. Navigate to KMS console.

3. Select the appropriate region from the top right corner.

4. In the navigation pane, choose Customer managed keys, and then choose the CMK that you want to cancel deletion for.

5. Click Key actions button and click Cancel Key Deletion.

Important:

Reference:

• https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html