lacework-global-216
Do not unintentionally delete AWS Key Management Service (KMS) keys (Automated)
Description
This control fails on KMS keys scheduled for deletion. It is not possible to recover deleted KMS keys. Data encrypted under a KMS key is also permanently unrecoverable after deleting the KMS key. If a KMS key scheduled for deletion encrypts meaningful data, consider decrypting the data or re-encrypting the data under a new KMS key unless intentionally performing a cryptographic erasure. When scheduling a KMS key for deletion, a mandatory waiting period allows time to reverse the deletion if scheduled in error. The default waiting period is 30 days, reducible to 7 days. During the waiting period, if you cancel the scheduled deletion the KMS key is not deleted.
Remediation
- Log in to the AWS Management Console and navigate to the AWS Key Management Service (AWS KMS).
- Choose Customer-managed keys in the navigation pane.
- Select the checkbox next to the KMS key to recover.
- Click Key actions and then click Cancel key deletion.
Note: The KMS key status changes from Pending deletion to disabled. To use the KMS key, reenable it.
References
https://docs.aws.amazon.com/securityhub/latest/userguide/kms-controls.html#kms-3