CloudWatch disabling or scheduled deletion of customer created CMK alarm missing

이 제품은 선택한 Datadog 사이트에서 지원되지 않습니다. ().
이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

Id: 56a585f5-555c-48b2-8395-e64e4740a9cf

Cloud Provider: AWS

Platform: Terraform

Severity: Medium

Category: Observability

Learn More

Description

A log metric filter and corresponding alarm should be in place to detect when a customer master key (CMK) in AWS KMS is disabled or scheduled for deletion, as these actions may indicate unauthorized or risky changes to encryption controls. Without proper alerting, malicious or accidental actions targeting CMKs may go unnoticed, putting sensitive encrypted data at risk of compromise or loss. A secure Terraform example ensures the aws_cloudwatch_metric_alarm uses the metric created by the aws_cloudwatch_log_metric_filter to trigger alerts:

resource "aws_cloudwatch_metric_alarm" "disable_delete_cmk" {
  metric_name  = aws_cloudwatch_log_metric_filter.disable_delete_cmk.id
  // other attributes...
}

Compliant Code Examples

provider "aws" {
  region = "us-east-2"
}

resource "aws_cloudwatch_log_group" "CIS_CloudWatch_LogsGroup" {
  name = "CIS_CloudWatch_LogsGroup"
}

resource "aws_sns_topic" "cis_alerts_sns_topic" {
  name = "cis-alerts-sns-topic"
}

resource "aws_cloudwatch_metric_alarm" "cis_disable_delete_cmk" {
  alarm_name                = "CIS-4.7-Disable-Scheduled-Delete-CMK"
  comparison_operator       = "GreaterThanOrEqualToThreshold"
  evaluation_periods        = "1"
  metric_name               = aws_cloudwatch_log_metric_filter.cis_disable_delete_cmk.id
  namespace                 = "CIS_Metric_Alarm_Namespace"
  period                    = "300"
  statistic                 = "Sum"
  threshold                 = "1"
  alarm_actions             = [aws_sns_topic.cis_alerts_sns_topic.arn]
  insufficient_data_actions = []
}

resource "aws_cloudwatch_log_metric_filter" "cis_disable_delete_cmk" {
  name           = "CIS-4.7-Disable-Scheduled-Delete-CMK"
  pattern        = "{ ($.eventSource = \"kms.amazonaws.com\") && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) }"
  log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name

  metric_transformation {
    name      = "CIS-4.7-Disable-Scheduled-Delete-CMK"
    namespace = "CIS_Metric_Alarm_Namespace"
    value     = "1"
  }
}

Non-Compliant Code Examples

provider "aws" {
  region = "us-east-2"
}

resource "aws_cloudwatch_log_group" "CIS_CloudWatch_LogsGroup" {
  name = "CIS_CloudWatch_LogsGroup"
}

resource "aws_sns_topic" "cis_alerts_sns_topic" {
  name = "cis-alerts-sns-topic"
}

resource "aws_cloudwatch_metric_alarm" "cis_disable_delete_cmk" {
  alarm_name                = "CIS-4.7-Disable-Scheduled-Delete-CMK"
  comparison_operator       = "GreaterThanOrEqualToThreshold"
  evaluation_periods        = "1"
  metric_name               = aws_cloudwatch_log_metric_filter.cis_disable_delete_cmk.id
  namespace                 = "CIS_Metric_Alarm_Namespace"
  period                    = "300"
  statistic                 = "Sum"
  threshold                 = "1"
  alarm_actions             = [aws_sns_topic.cis_alerts_sns_topic.arn]
  insufficient_data_actions = []
}

resource "aws_cloudwatch_log_metric_filter" "cis_disable_delete_cmk" {
  name           = "CIS-4.7-Disable-Scheduled-Delete-CMK"
  pattern        = "{ ($.eventSource = \"kms.amazonaws.com\") || (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) }"
  log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name

  metric_transformation {
    name      = "CIS-4.7-Disable-Scheduled-Delete-CMK"
    namespace = "CIS_Metric_Alarm_Namespace"
    value     = "1"
  }
}

provider "aws" {
  region = "us-east-2"
}

resource "aws_cloudwatch_log_group" "CIS_CloudWatch_LogsGroup" {
  name = "CIS_CloudWatch_LogsGroup"
}

resource "aws_sns_topic" "cis_alerts_sns_topic" {
  name = "cis-alerts-sns-topic"
}

resource "aws_cloudwatch_metric_alarm" "cis_disable_delete_cmk" {
  alarm_name                = "CIS-4.7-Disable-Scheduled-Delete-CMK"
  comparison_operator       = "GreaterThanOrEqualToThreshold"
  evaluation_periods        = "1"
  metric_name               = aws_cloudwatch_log_metric_filter.cis_disable_delete_cmk.id
  namespace                 = "CIS_Metric_Alarm_Namespace"
  period                    = "300"
  statistic                 = "Sum"
  threshold                 = "1"
  alarm_actions             = [aws_sns_topic.cis_alerts_sns_topic.arn]
  insufficient_data_actions = []
}

resource "aws_cloudwatch_log_metric_filter" "cis_disable_delete_cmk" {
  name           = "CIS-4.7-Disable-Scheduled-Delete-CMK"
  pattern        = "{ ($.eventSource = \"kms.amazonaws.com\") && (($.eventName = ScheduleKeyDeletion)) }"
  log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name

  metric_transformation {
    name      = "CIS-4.7-Disable-Scheduled-Delete-CMK"
    namespace = "CIS_Metric_Alarm_Namespace"
    value     = "1"
  }
}

provider "aws" {
  region = "us-east-2"
}

resource "aws_cloudwatch_log_group" "CIS_CloudWatch_LogsGroup" {
  name = "CIS_CloudWatch_LogsGroup"
}

resource "aws_sns_topic" "cis_alerts_sns_topic" {
  name = "cis-alerts-sns-topic"
}

resource "aws_cloudwatch_metric_alarm" "cis_disable_delete_cmk" {
  alarm_name                = "CIS-4.7-Disable-Scheduled-Delete-CMK"
  comparison_operator       = "GreaterThanOrEqualToThreshold"
  evaluation_periods        = "1"
  metric_name               = "OTHER FILTER"
  namespace                 = "CIS_Metric_Alarm_Namespace"
  period                    = "300"
  statistic                 = "Sum"
  threshold                 = "1"
  alarm_actions             = [aws_sns_topic.cis_alerts_sns_topic.arn]
  insufficient_data_actions = []
}

resource "aws_cloudwatch_log_metric_filter" "cis_disable_delete_cmk" {
  name           = "CIS-4.7-Disable-Scheduled-Delete-CMK"
  pattern        = "{ ($.eventSource = \"kms.amazonaws.com\") && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) }"
  log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name

  metric_transformation {
    name      = "CIS-4.7-Disable-Scheduled-Delete-CMK"
    namespace = "CIS_Metric_Alarm_Namespace"
    value     = "1"
  }
}