---
title: AWS KMS key deleted or scheduled for deletion
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > AWS KMS key deleted or scheduled for
  deletion
---

# AWS KMS key deleted or scheduled for deletion
Classification:attackTactic:[TA0040-impact](https://attack.mitre.org/tactics/TA0040)Technique:[T1485-data-destruction](https://attack.mitre.org/techniques/T1485)Framework:cis-awsControl:4.7 
## Goal{% #goal %}

Detect when a KMS (Key Management Service) key is deleted or scheduled for deletion.

## Strategy{% #strategy %}

This rule lets you monitor these CloudTrail API calls to detect if an attacker is deleting KMS keys:

- [DisableKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DisableKey.html)
- [ScheduleKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html)

## Triage and response{% #triage-and-response %}

1. Determine if `user ARN:` {{@userIdentity.arn}} in your organization should be making this call.
1. If the user did not make the API call:
   - Rotate the credentials.
   - Use the `Cloud SIEM - User Investigation` OOTB dashboard to investigate other potential unauthorized API calls from this user.

## Changelog{% #changelog %}

- 16 March 2022 - Updated rule severity and markdown.
- 16 November 2022 - Updated rule query.