AWS KMS key deleted or scheduled for deletion

Docs > Datadog Security > OOTB Rules > AWS KMS key deleted or scheduled for deletion

Classification:

attack

Tactic:

TA0040-impact

Framework:

cis-aws

Control:

4.7

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a KMS (Key Management Service) key is deleted or scheduled for deletion.

Strategy

This rule lets you monitor these CloudTrail API calls to detect if an attacker is deleting KMS keys:

DisableKey
ScheduleKeyDeletion

Triage and response

Determine if user ARN: {{@userIdentity.arn}} in your organization should be making this call.
If the user did not make the API call:
- Rotate the credentials.
- Use the Cloud SIEM - User Investigation OOTB dashboard to investigate other potential unauthorized API calls from this user.

Changelog

16 March 2022 - Updated rule severity and markdown.
16 November 2022 - Updated rule query.