More Info:

Detect the KMS Keys that are scheduled to be destroyed. NOTE: Data encrypted using the key cannot be decrypted once the key has been destroyed.

Risk Level

High

Address

Operational Maturity, Security

Compliance Standards

HITRUST

Triage and Remediation

Remediation

To detect KMS keys that are scheduled to be destroyed in GCP, follow these steps:

  1. Open the Google Cloud Console and select the project where the KMS key is located.
  2. In the left-hand menu, select “Security”.
  3. Click on “Key Management Service”.
  4. In the KMS dashboard, click on “Scheduled for destruction” in the left-hand menu.
  5. You will see a list of KMS keys that are scheduled for destruction.

To remediate this issue, you can either cancel the scheduled destruction or create a new key to replace the one that is scheduled for destruction. To cancel the scheduled destruction, follow these steps:

  1. Select the KMS key that is scheduled for destruction.
  2. Click on “Cancel destruction” in the top menu.
  3. Confirm the cancellation.

To create a new key to replace the one that is scheduled for destruction, follow these steps:

  1. Click on “Create key” in the top menu.
  2. Choose the key type and key version.
  3. Enter a name for the key.
  4. Click on “Create”.

Note: Be sure to update any applications or services that use the original KMS key with the new key.