Detections
Analytics

Ensure deletion window for Customer Managed Keys (CMK) is enabled for AWS Key Management Service (KMS)

HIGH

Description

Not specifying the deletion between 7 to 30 days for customer master keys (CMKs) is not a good security practice.

Remediation

In AWS Console -

  1. Sign in to the AWS Console and go to the AWS KMS.
  2. Select the AWS Region.
  3. In the navigation pane, choose Customer managed keys.
  4. Select the KMS Key.
  5. Choose Key actions, Schedule key deletion.
  6. For Waiting period (in days), enter number of days as 30 or greater and select Schedule deletion.

In Terraform -

  1. In the aws_kms_key resource, set the deletion_window_in_days field to a numeric value of 30 or greater.

References:
https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys-scheduling-key-deletion.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key#deletion_window_in_days

Policy Details

Rule Reference ID: AC_AWS_0161
CSP: AWS
Remediation Available: Yes
Domain: Security Best Practices
Resource: aws_kms_key
Resource Category: Management
Resource Type: Key Management Service (KMS)

Frameworks