AWS KMS Imported Key Material Deleted

  1[metadata]
  2creation_date = "2026/06/18"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/06/18"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies deletion of imported key material from an AWS KMS customer managed key via DeleteImportedKeyMaterial. Keys
 11created with an external key material origin (BYOK) rely on key material that the customer imports. Deleting that
 12material immediately makes the key unusable and renders all data encrypted under it inaccessible, with no recovery
 13window. Unlike ScheduleKeyDeletion, which enforces a pending deletion period of 7 to 30 days, this action takes effect
 14instantly, making it an attractive primitive for cloud ransomware and data-destruction attacks. Because this operation
 15only applies to external-origin keys and is rare in normal operations, its use by an unexpected principal warrants
 16prompt review.
 17"""
 18false_positives = [
 19    """
 20    Encryption or platform teams that operate keys with imported key material (BYOK/HYOK) may delete and re-import
 21    material during key rotation, migration, or decommissioning. Verify the principal in
 22    "aws.cloudtrail.user_identity.arn", confirm the change aligns with a planned key lifecycle activity, and check
 23    whether material was re-imported shortly after. Known administration roles and automation can be excluded after
 24    validation.
 25    """,
 26]
 27from = "now-6m"
 28index = ["logs-aws.cloudtrail-*"]
 29language = "kuery"
 30license = "Elastic License v2"
 31name = "AWS KMS Imported Key Material Deleted"
 32note = """## Triage and analysis
 33
 34### Investigating AWS KMS Imported Key Material Deleted
 35
 36AWS KMS keys can be created with an external key material origin (BYOK), where the customer imports the cryptographic material rather than having KMS generate it. "DeleteImportedKeyMaterial" removes that material, immediately transitioning the key to a "PendingImport" state where it can no longer encrypt or decrypt. All data protected by the key becomes inaccessible until the exact same material is re-imported. Unlike "ScheduleKeyDeletion", there is no pending window, so the impact is instant and, for an adversary who controls and withholds the original material, effectively irreversible.
 37
 38Because this action only applies to external-origin keys and is uncommon in normal operations, it should be treated as a high-risk, destructive action when performed unexpectedly. Adversaries may delete imported key material to sabotage recovery, destroy data, or hold encrypted resources for ransom.
 39
 40### Possible investigation steps
 41
 42- Identify the actor and authentication context in "aws.cloudtrail.user_identity.arn", "aws.cloudtrail.user_identity.access_key_id", and "aws.cloudtrail.user_identity.type", and review "source.ip" and "user_agent.original" to determine whether the action came from an expected network path or automation platform.
 43- Identify the affected key from "aws.cloudtrail.resources.arn" or the "keyId" in "aws.cloudtrail.request_parameters", and determine which services and data depend on it (S3, EBS, RDS, Secrets Manager, etc.).
 44- Determine whether the same material was re-imported shortly after ("ImportKeyMaterial") or whether the key was left unusable.
 45- Correlate with surrounding activity by the same principal, such as KMS key policy changes, scheduled key deletions, S3 or EBS destructive actions, or credential changes that may indicate a broader sabotage or ransom attempt.
 46
 47### False positive analysis
 48
 49- Organizations with BYOK/HYOK requirements may delete and re-import key material during planned rotation, migration, or decommissioning. Confirm the change is expected and exclude known administration roles or automation on "aws.cloudtrail.user_identity.arn" after validation.
 50
 51### Response and remediation
 52
 53- If the deletion is unauthorized, re-import the original key material if it is securely retained, and restore access to affected services.
 54- Treat any encrypted data whose key material cannot be re-imported as potentially unrecoverable, and engage incident response and data owners to assess impact.
 55- Rotate or restrict credentials for the principal if compromise is suspected, and constrain "kms:DeleteImportedKeyMaterial" and "kms:ImportKeyMaterial" to a small set of trusted administrators.
 56- Use AWS Organizations SCPs to limit who can manage imported key material in production accounts.
 57
 58### Additional information
 59
 60- [DeleteImportedKeyMaterial API](https://docs.aws.amazon.com/kms/latest/APIReference/API_DeleteImportedKeyMaterial.html)
 61- [Importing key material into AWS KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html)
 62"""
 63references = [
 64    "https://docs.aws.amazon.com/kms/latest/APIReference/API_DeleteImportedKeyMaterial.html",
 65    "https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html",
 66]
 67risk_score = 47
 68rule_id = "f6fee40d-8a5e-4cc8-9f73-8688419c6d68"
 69setup = """This rule requires AWS CloudTrail management events for AWS Backup and ingestion via the Elastic AWS CloudTrail integration. See https://docs.elastic.co/integrations/aws/cloudtrail."""
 70severity = "medium"
 71tags = [
 72    "Domain: Cloud",
 73    "Data Source: AWS",
 74    "Data Source: Amazon Web Services",
 75    "Data Source: AWS KMS",
 76    "Use Case: Threat Detection",
 77    "Tactic: Impact",
 78    "Resources: Investigation Guide",
 79]
 80timestamp_override = "event.ingested"
 81type = "query"
 82
 83query = '''
 84data_stream.dataset: "aws.cloudtrail"
 85    and event.provider: "kms.amazonaws.com"
 86    and event.action: "DeleteImportedKeyMaterial"
 87    and event.outcome: "success"
 88    and not aws.cloudtrail.user_identity.type: "AWSService"
 89'''
 90
 91
 92[[rule.threat]]
 93framework = "MITRE ATT&CK"
 94[[rule.threat.technique]]
 95id = "T1485"
 96name = "Data Destruction"
 97reference = "https://attack.mitre.org/techniques/T1485/"
 98
 99[[rule.threat.technique.subtechnique]]
100id = "T1485.001"
101name = "Lifecycle-Triggered Deletion"
102reference = "https://attack.mitre.org/techniques/T1485/001/"
103
104[rule.threat.tactic]
105id = "TA0040"
106name = "Impact"
107reference = "https://attack.mitre.org/tactics/TA0040/"
108
109[rule.investigation_fields]
110field_names = [
111    "@timestamp",
112    "user.name",
113    "user_agent.original",
114    "source.ip",
115    "aws.cloudtrail.user_identity.arn",
116    "aws.cloudtrail.user_identity.type",
117    "aws.cloudtrail.user_identity.access_key_id",
118    "aws.cloudtrail.resources.arn",
119    "aws.cloudtrail.resources.type",
120    "event.action",
121    "event.outcome",
122    "cloud.account.id",
123    "cloud.region",
124    "aws.cloudtrail.request_parameters",
125    "aws.cloudtrail.response_elements",
126]