---
title: RCP must prevent KMS ransom attacks
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > RCP must prevent KMS ransom attacks
---

# RCP must prevent KMS ransom attacks
 
## Description{% #description %}

A Resource Control Policy (RCP) must be in place to prevent ransomware attacks that leverage AWS KMS actions. KMS-based ransom attacks involve an adversary scheduling key deletion, disabling keys, modifying key policies, or creating grants to lock out the key owner and hold encrypted data hostage. An RCP that denies `kms:ScheduleKeyDeletion`, `kms:DisableKey`, `kms:PutKeyPolicy`, and `kms:CreateGrant` from unauthorized principals provides a preventive guardrail against these attack vectors.

This rule also flags RCPs that use `NotAction` to exempt KMS ransom actions from a deny statement. A `NotAction`-based exemption creates a gap that could be exploited if the corresponding explicit deny is ever removed.

**Note:** RCPs restrict what actions can be performed on resources regardless of which principal makes the request. Ensure AWS service principals are exempted using `aws:PrincipalIsAWSService` conditions to avoid disrupting AWS-managed operations.

## Remediation{% #remediation %}

Create a Resource Control Policy that explicitly denies dangerous KMS actions using `Action` (not `NotAction`) and attach it to the organization root or relevant OUs. Remove any `NotAction`-based deny statements that exempt KMS actions. Refer to the [RCP syntax documentation](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps_syntax.html) and the [AWS KMS best practices](https://docs.aws.amazon.com/prescriptive-guidance/latest/aws-kms-best-practices/introduction.html) for guidance.