AWS KMS Customer Managed Key Disabled or Scheduled for Deletion

  1[metadata]
  2creation_date = "2022/09/21"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/01/16"
  6
  7[rule]
  8author = ["Xavier Pich"]
  9description = """
 10Identifies attempts to disable or schedule the deletion of an AWS customer managed KMS Key. Disabling or scheduling a
 11KMS key for deletion removes the ability to decrypt data encrypted under that key and can permanently destroy access to
 12critical resources. Adversaries may use these operations to cause irreversible data loss, disrupt business operations,
 13impede incident response, or hide evidence of prior activity. Because KMS keys often protect sensitive or regulated
 14data, any modification to their lifecycle should be considered highly sensitive and investigated promptly.
 15"""
 16false_positives = [
 17    """
 18    A customer managed KMS key may be disabled or scheduled for deletion by a system administrator. Verify whether the
 19    user identity, user agent, and/or hostname should be making changes in your environment. Key deletions by unfamiliar
 20    users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
 21    """,
 22]
 23from = "now-6m"
 24index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 25language = "kuery"
 26license = "Elastic License v2"
 27name = "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion"
 28note = """## Triage and analysis
 29
 30### Investigating AWS KMS Customer Managed Key Disabled or Scheduled for Deletion
 31
 32AWS KMS keys underpin encryption for S3, EBS, RDS, Secrets Manager, Lambda, and numerous other AWS services. Disabling a KMS key or scheduling its deletion immediately disrupts encryption and decryption workflows, and, once deleted, renders all data encrypted with that key unrecoverable.
 33
 34Because these operations are rare, highly privileged, and tightly controlled in mature environments, they should be treated as high-risk, destructive actions when performed unexpectedly. Adversaries may disable or delete KMS keys to sabotage recovery, impede forensic analysis, or destroy evidence after exfiltration.
 35
 36
 37#### Possible investigation steps
 38
 39- **Identify the actor and authentication context**
 40  - Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` to determine the caller.
 41  - Check `source.ip`, `source.geo` fields, and `user_agent.original` to determine whether the action originated from an expected network path or automation platform.
 42  - Compare the actor and access key to historical usage patterns.
 43
 44- **Determine what key was affected and its criticality**
 45  - Inspect `aws.cloudtrail.resources.arn` to identify the KMS key.
 46  - Determine:
 47    - The services and data protected by the key (e.g., RDS, EBS, S3, Secrets Manager).
 48    - The environment (prod vs. dev).
 49    - Owner or application team.
 50
 51- **Understand the scope and intent of the change**
 52  - For `DisableKey`, determine whether a dependent service immediately began failing or experienced decryption errors.
 53  - For `ScheduleKeyDeletion`, examine the `PendingWindowInDays` value within `aws.cloudtrail.request_parameters`.
 54  - Check whether the key was previously rotated, enabled/disabled, or had its policy recently modified.
 55
 56- **Correlate with surrounding events**
 57  - Look for:
 58    - IAM policy changes granting new KMS privileges.
 59    - Access anomalies involving the same principal.
 60    - File system, database, or backup deletions near the same timeframe.
 61    - S3, EBS, or RDS resources showing encryption failures.
 62  - Determine whether other keys were modified in the same window (possible broader sabotage attempt).
 63
 64- **Validate intent with owners**
 65  - Confirm with the application, data, or security owners:
 66    - Whether deactivation or scheduled deletion was requested.
 67    - Whether the key was being replaced, migrated, or retired.
 68
 69### False positive analysis
 70
 71- **Planned key lifecycle activities**
 72  - Some organizations disable KMS keys before rotation, migration, or decommissioning.
 73  - Scheduled deletion during infrastructure teardown may be expected in CI/CD-driven ephemeral environments.
 74
 75- **Configuration errors**
 76  - Misapplied tags or incorrect CloudFormation teardown workflows can unintentionally disable or schedule deletion of KMS keys.
 77
 78If any of the above conditions apply, consider adjusting rule exceptions based on IAM principal, environment tag, or automation role.
 79
 80### Response and remediation
 81
 82- **Contain and validate**
 83  - Immediately confirm whether the key disablement or deletion schedule was intentional.
 84  - If unauthorized, cancel scheduled deletion (`CancelKeyDeletion`) and re-enable the key (`EnableKey`) as appropriate.
 85  - Rotate credentials or access keys used by the actor if compromise is suspected.
 86
 87- **Assess impact**
 88  - Identify all AWS services and data encrypted with the affected KMS key.
 89  - Review logs and service metrics for failures involving:
 90    - EBS volume attachments
 91    - RDS instance decryption
 92    - S3 object access
 93    - Secrets Manager retrieval
 94    - Lambda environment variable decryption
 95
 96- **Investigate for compromise**
 97  - Review CloudTrail activity for the principal:
 98    - Permission escalations
 99    - Unusual STS role assumptions
100    - S3, EC2, RDS destructive behavior
101  - Look for preceding data access or exfiltration attempts.
102
103- **Strengthen controls**
104  - Restrict AWS KMS lifecycle permissions (`kms:DisableKey`, `kms:ScheduleKeyDeletion`) to a very small privileged set.
105  - Use AWS Organizations SCPs to prevent KMS key deletion in production accounts.
106  - Enable AWS Config rules for KMS key state monitoring.
107  - Require MFA for administrators capable of key management.
108
109- **Post-incident improvement**
110  - Update runbooks to include KMS lifecycle change approvals.
111  - Implement tagging standards to designate high-risk keys.
112  - Enhance monitoring for key policy modifications or changes to principal permissions.
113
114### Additional information
115- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** 
116- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** 
117- **Security Best Practices:** [AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/).
118"""
119references = [
120    "https://docs.aws.amazon.com/cli/latest/reference/kms/disable-key.html",
121    "https://docs.aws.amazon.com/cli/latest/reference/kms/schedule-key-deletion.html",
122]
123risk_score = 47
124rule_id = "6951f15e-533c-4a60-8014-a3c3ab851a1b"
125severity = "medium"
126tags = [
127    "Domain: Cloud",
128    "Data Source: AWS",
129    "Data Source: Amazon Web Services",
130    "Data Source: AWS KMS",
131    "Use Case: Log Auditing",
132    "Tactic: Impact",
133    "Resources: Investigation Guide",
134]
135timestamp_override = "event.ingested"
136type = "query"
137
138query = '''
139event.dataset: "aws.cloudtrail"
140    and event.provider: "kms.amazonaws.com" 
141    and event.action: ("DisableKey" or "ScheduleKeyDeletion") 
142    and event.outcome: "success"
143'''
144
145
146[[rule.threat]]
147framework = "MITRE ATT&CK"
148[[rule.threat.technique]]
149id = "T1485"
150name = "Data Destruction"
151reference = "https://attack.mitre.org/techniques/T1485/"
152
153
154[rule.threat.tactic]
155id = "TA0040"
156name = "Impact"
157reference = "https://attack.mitre.org/tactics/TA0040/"
158
159[rule.investigation_fields]
160field_names = [
161    "@timestamp",
162    "user.name",
163    "user_agent.original",
164    "source.ip",
165    "aws.cloudtrail.user_identity.arn",
166    "aws.cloudtrail.user_identity.type",
167    "aws.cloudtrail.user_identity.access_key_id",
168    "aws.cloudtrail.resources.arn",
169    "aws.cloudtrail.resources.type",
170    "event.action",
171    "event.outcome",
172    "cloud.account.id",
173    "cloud.region",
174    "aws.cloudtrail.request_parameters",
175    "aws.cloudtrail.response_elements",
176]