< Back to rules search
AWS CMK deleted or scheduled for deletion
Set up the cloudtrail integration.
Detect when a CMK is deleted or scheduled for deletion.
This rule lets you monitor these CloudTrail API calls to detect if an attacker is deleting CMKs:
Triage & Response
- Determine which user in your organization owns the API key that made this API call.
- Contact the user to see if they intended to make this API call.
- If the user did not make the API call:
- Rotate the credentials.
- Investigate if the same credentials made other unauthorized API calls.