AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
KMS Keys Scheduled For Deletion Should Be Recovered
More Info:
Any disabled AWS KMS Customer Master Keys (CMK) that have been accidentally or intentionally scheduled for deletion should be recovered in order to prevent losing any data encrypted with these keys.
Risk Level
Low
Address
Reliability, Security
Compliance Standards
HIPAA, NIST, AWSWAF
Triage and Remediation
Remediation
Sure, here are the step by step instructions to remediate the KMS Keys Scheduled for Deletion should be recovered misconfiguration in AWS using the AWS console:
-
Open the AWS Management Console and navigate to the KMS service.
-
In the left navigation pane, click on “Scheduled Deletion”.
-
Check the list of keys scheduled for deletion and identify the key that needs to be recovered.
-
Select the key by clicking on the checkbox next to it.
-
Click on the “Recover” button on the top of the page.
-
In the confirmation dialog box, click on the “Recover” button again to confirm the recovery.
-
Once the key is recovered, it will be available for use again.
That’s it! You have successfully remediated the KMS Keys Scheduled for Deletion should be recovered misconfiguration in AWS using the AWS console.
Sure, here are the step-by-step instructions to remediate the KMS Keys Scheduled for Deletion should be Recovered issue in AWS using AWS CLI:
-
Open the AWS CLI on your local machine.
-
Run the following command to list all the KMS keys that are scheduled for deletion:
aws kms list-grants --key-id <key-id> --query "Grants[?RetiringPrincipal!=''].GrantId"
Note: Replace <key-id> with the ID of the KMS key that is scheduled for deletion.
-
Review the output of the command and identify the Grant IDs of the grants that are scheduled for deletion.
-
Run the following command to recover the grants that are scheduled for deletion:
aws kms retire-grant --key-id <key-id> --grant-id <grant-id>
Note: Replace <key-id> with the ID of the KMS key that is scheduled for deletion and <grant-id> with the ID of the grant that you want to recover.
-
Repeat steps 4 and 5 for all the grants that are scheduled for deletion.
-
Once you have recovered all the grants that were scheduled for deletion, recheck the status of the KMS key to ensure that the issue has been resolved.
That’s it! These steps should help you remediate the KMS Keys Scheduled for Deletion should be Recovered issue in AWS using AWS CLI.
To remediate this issue in AWS using Python, you can use the AWS SDK for Python (Boto3) to recover the KMS keys that are scheduled for deletion. Here are the steps to do so:
- Import the required Boto3 libraries:
import boto3
from botocore.exceptions import ClientError
- Create a Boto3 client for the KMS service:
kms_client = boto3.client('kms')
- Use the
list_grantsAPI to get the list of all KMS keys that are scheduled for deletion:
try:
response = kms_client.list_grants(Filters=[{'Key': 'GrantState', 'Values': ['PendingDeletion']}])
grants = response['Grants']
except ClientError as e:
print(f"Error listing KMS grants: {e}")
grants = []
- For each grant that is scheduled for deletion, use the
cancel_key_deletionAPI to cancel the scheduled deletion:
for grant in grants:
try:
response = kms_client.cancel_key_deletion(KeyId=grant['KeyId'])
print(f"Cancelled deletion for KMS key {grant['KeyId']}")
except ClientError as e:
print(f"Error cancelling deletion for KMS key {grant['KeyId']}: {e}")
This Python script will cancel the scheduled deletion for all KMS keys that are in the “PendingDeletion” state. You can run this script periodically to ensure that any KMS keys that are scheduled for deletion are recovered.