Kms scheduled deletion remediation

Using Console

Using CLI

Sure, here are the step-by-step instructions to remediate the KMS Keys Scheduled for Deletion should be Recovered issue in AWS using AWS CLI:

Open the AWS CLI on your local machine.
Run the following command to list all the KMS keys that are scheduled for deletion:

aws kms list-grants --key-id <key-id> --query "Grants[?RetiringPrincipal!=''].GrantId"

Note: Replace <key-id> with the ID of the KMS key that is scheduled for deletion.

Review the output of the command and identify the Grant IDs of the grants that are scheduled for deletion.
Run the following command to recover the grants that are scheduled for deletion:

aws kms retire-grant --key-id <key-id> --grant-id <grant-id>

Note: Replace <key-id> with the ID of the KMS key that is scheduled for deletion and <grant-id> with the ID of the grant that you want to recover.

Repeat steps 4 and 5 for all the grants that are scheduled for deletion.
Once you have recovered all the grants that were scheduled for deletion, recheck the status of the KMS key to ensure that the issue has been resolved.

That’s it! These steps should help you remediate the KMS Keys Scheduled for Deletion should be Recovered issue in AWS using AWS CLI.

Using Python

To remediate this issue in AWS using Python, you can use the AWS SDK for Python (Boto3) to recover the KMS keys that are scheduled for deletion. Here are the steps to do so:

Import the required Boto3 libraries:

import boto3
from botocore.exceptions import ClientError

Create a Boto3 client for the KMS service:

kms_client = boto3.client('kms')

Use the list_grants API to get the list of all KMS keys that are scheduled for deletion:

try:
    response = kms_client.list_grants(Filters=[{'Key': 'GrantState', 'Values': ['PendingDeletion']}])
    grants = response['Grants']
except ClientError as e:
    print(f"Error listing KMS grants: {e}")
    grants = []

For each grant that is scheduled for deletion, use the cancel_key_deletion API to cancel the scheduled deletion:

for grant in grants:
    try:
        response = kms_client.cancel_key_deletion(KeyId=grant['KeyId'])
        print(f"Cancelled deletion for KMS key {grant['KeyId']}")
    except ClientError as e:
        print(f"Error cancelling deletion for KMS key {grant['KeyId']}: {e}")

This Python script will cancel the scheduled deletion for all KMS keys that are in the “PendingDeletion” state. You can run this script periodically to ensure that any KMS keys that are scheduled for deletion are recovered.

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Kms scheduled deletion remediation

Triage and Remediation

Remediation