AWS KMS Customer Managed Key Disabled or Scheduled for Deletion

Identifies attempts to disable or schedule the deletion of an AWS KMS Customer Managed Key (CMK). Deleting an AWS KMS key is destructive and potentially dangerous. It deletes the key material and all metadata associated with the KMS key and is irreversible. After a KMS key is deleted, the data that was encrypted under that KMS key can no longer be decrypted, which means that data becomes unrecoverable.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2022/09/21"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Xavier Pich"]
  9description = """
 10Identifies attempts to disable or schedule the deletion of an AWS KMS Customer Managed Key (CMK). Deleting an AWS KMS
 11key is destructive and potentially dangerous. It deletes the key material and all metadata associated with the KMS key
 12and is irreversible. After a KMS key is deleted, the data that was encrypted under that KMS key can no longer be
 13decrypted, which means that data becomes unrecoverable.
 14"""
 15false_positives = [
 16    """
 17    A KMS customer managed key may be disabled or scheduled for deletion by a system administrator. Verify whether the
 18    user identity, user agent, and/or hostname should be making changes in your environment. Key deletions by unfamiliar
 19    users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
 20    """,
 21]
 22from = "now-60m"
 23index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 24interval = "10m"
 25language = "kuery"
 26license = "Elastic License v2"
 27name = "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion"
 28note = """## Triage and analysis
 29
 30> **Disclaimer**:
 31> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 32
 33### Investigating AWS KMS Customer Managed Key Disabled or Scheduled for Deletion
 34
 35AWS Key Management Service (KMS) allows users to create and manage cryptographic keys for data encryption. Customer Managed Keys (CMKs) are crucial for securing sensitive data. Adversaries may disable or schedule deletion of CMKs to render encrypted data inaccessible, causing data loss. The detection rule monitors successful disablement or deletion attempts, alerting analysts to potential data destruction activities.
 36
 37### Possible investigation steps
 38
 39- Review the CloudTrail logs for the specific event.dataset:aws.cloudtrail entries to identify the user or role that initiated the DisableKey or ScheduleKeyDeletion action.
 40- Check the event.provider:kms.amazonaws.com logs to gather additional context about the KMS key involved, including its key ID and any associated metadata.
 41- Investigate the event.action:("DisableKey" or "ScheduleKeyDeletion") to determine if the action was authorized and aligns with recent changes or requests within the organization.
 42- Analyze the event.outcome:success to confirm the success of the action and assess the potential impact on encrypted data.
 43- Cross-reference the timing of the event with any known incidents or maintenance activities to rule out false positives or expected behavior.
 44- Contact the user or team responsible for the action to verify the intent and ensure it was a legitimate operation.
 45
 46### False positive analysis
 47
 48- Routine key management activities by authorized personnel can trigger alerts. Regularly review and document key management procedures to differentiate between legitimate and suspicious activities.
 49- Automated scripts or tools used for key rotation or lifecycle management might disable or schedule deletion of keys as part of their process. Identify and whitelist these scripts or tools to prevent unnecessary alerts.
 50- Testing environments where keys are frequently created and deleted for development purposes can generate false positives. Exclude these environments from monitoring or adjust the rule to focus on production environments.
 51- Scheduled maintenance or compliance audits may involve disabling keys temporarily. Coordinate with relevant teams to schedule these activities and temporarily adjust monitoring rules to avoid false alerts.
 52- Misconfigured alerts due to incorrect tagging or categorization of keys can lead to false positives. Ensure that all keys are correctly tagged and categorized to align with monitoring rules.
 53
 54### Response and remediation
 55
 56- Immediately verify the legitimacy of the disablement or deletion action by contacting the key owner or relevant stakeholders to confirm if the action was intentional.
 57- If the action was unauthorized, revoke any access credentials or permissions associated with the user or service that performed the action to prevent further unauthorized activities.
 58- Restore access to encrypted data by identifying any backup keys or data recovery options available, and initiate data recovery procedures if possible.
 59- Escalate the incident to the security operations team and relevant management to assess the impact and coordinate a broader response if necessary.
 60- Implement additional monitoring and alerting for any further attempts to disable or delete KMS keys, ensuring that alerts are sent to the appropriate personnel for rapid response.
 61- Review and tighten IAM policies and permissions related to KMS key management to ensure that only authorized personnel have the ability to disable or delete keys.
 62- Conduct a post-incident review to identify any gaps in the current security posture and update incident response plans to address similar threats in the future.
 63
 64## Setup
 65
 66The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 67references = [
 68    "https://docs.aws.amazon.com/cli/latest/reference/kms/disable-key.html",
 69    "https://docs.aws.amazon.com/cli/latest/reference/kms/schedule-key-deletion.html",
 70]
 71risk_score = 47
 72rule_id = "6951f15e-533c-4a60-8014-a3c3ab851a1b"
 73severity = "medium"
 74tags = [
 75    "Domain: Cloud",
 76    "Data Source: AWS",
 77    "Data Source: Amazon Web Services",
 78    "Data Source: AWS KMS",
 79    "Use Case: Log Auditing",
 80    "Tactic: Impact",
 81    "Resources: Investigation Guide",
 82]
 83timestamp_override = "event.ingested"
 84type = "query"
 85
 86query = '''
 87event.dataset:aws.cloudtrail and event.provider:kms.amazonaws.com and event.action:("DisableKey" or "ScheduleKeyDeletion") and event.outcome:success
 88'''
 89
 90
 91[[rule.threat]]
 92framework = "MITRE ATT&CK"
 93[[rule.threat.technique]]
 94id = "T1485"
 95name = "Data Destruction"
 96reference = "https://attack.mitre.org/techniques/T1485/"
 97
 98
 99[rule.threat.tactic]
100id = "TA0040"
101name = "Impact"
102reference = "https://attack.mitre.org/tactics/TA0040/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating AWS KMS Customer Managed Key Disabled or Scheduled for Deletion

AWS Key Management Service (KMS) allows users to create and manage cryptographic keys for data encryption. Customer Managed Keys (CMKs) are crucial for securing sensitive data. Adversaries may disable or schedule deletion of CMKs to render encrypted data inaccessible, causing data loss. The detection rule monitors successful disablement or deletion attempts, alerting analysts to potential data destruction activities.

Possible investigation steps

  • Review the CloudTrail logs for the specific event.dataset:aws.cloudtrail entries to identify the user or role that initiated the DisableKey or ScheduleKeyDeletion action.
  • Check the event.provider:kms.amazonaws.com logs to gather additional context about the KMS key involved, including its key ID and any associated metadata.
  • Investigate the event.action:("DisableKey" or "ScheduleKeyDeletion") to determine if the action was authorized and aligns with recent changes or requests within the organization.
  • Analyze the event.outcome:success to confirm the success of the action and assess the potential impact on encrypted data.
  • Cross-reference the timing of the event with any known incidents or maintenance activities to rule out false positives or expected behavior.
  • Contact the user or team responsible for the action to verify the intent and ensure it was a legitimate operation.

False positive analysis

  • Routine key management activities by authorized personnel can trigger alerts. Regularly review and document key management procedures to differentiate between legitimate and suspicious activities.
  • Automated scripts or tools used for key rotation or lifecycle management might disable or schedule deletion of keys as part of their process. Identify and whitelist these scripts or tools to prevent unnecessary alerts.
  • Testing environments where keys are frequently created and deleted for development purposes can generate false positives. Exclude these environments from monitoring or adjust the rule to focus on production environments.
  • Scheduled maintenance or compliance audits may involve disabling keys temporarily. Coordinate with relevant teams to schedule these activities and temporarily adjust monitoring rules to avoid false alerts.
  • Misconfigured alerts due to incorrect tagging or categorization of keys can lead to false positives. Ensure that all keys are correctly tagged and categorized to align with monitoring rules.

Response and remediation

  • Immediately verify the legitimacy of the disablement or deletion action by contacting the key owner or relevant stakeholders to confirm if the action was intentional.
  • If the action was unauthorized, revoke any access credentials or permissions associated with the user or service that performed the action to prevent further unauthorized activities.
  • Restore access to encrypted data by identifying any backup keys or data recovery options available, and initiate data recovery procedures if possible.
  • Escalate the incident to the security operations team and relevant management to assess the impact and coordinate a broader response if necessary.
  • Implement additional monitoring and alerting for any further attempts to disable or delete KMS keys, ensuring that alerts are sent to the appropriate personnel for rapid response.
  • Review and tighten IAM policies and permissions related to KMS key management to ensure that only authorized personnel have the ability to disable or delete keys.
  • Conduct a post-incident review to identify any gaps in the current security posture and update incident response plans to address similar threats in the future.

Setup

The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

Related rules

to-top