AWS KMS key deleted or scheduled for deletion

cloudtrail

Classification:

attack

Tactic:

Technique:

Framework:

cis-aws

Control:

4.7

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a KMS (Key Management Service) key is deleted or scheduled for deletion.

Strategy

This rule lets you monitor these CloudTrail API calls to detect if an attacker is deleting KMS keys:

Triage and response

  1. Determine if user ARN: {{@userIdentity.arn}} in your organization should be making this call.
  2. If the user did not make the API call:
    • Rotate the credentials.
    • Use the Cloud SIEM - User Investigation OOTB dashboard to investigate other potential unauthorized API calls from this user.

Changelog

  • 16 March 2022 - Updated rule severity and markdown.
  • 16 November 2022 - Updated rule query.