💼 [KMS.3] AWS KMS keys should not be deleted unintentionally

ID: /frameworks/aws-fsbp-v1.0.0/kms/03

Description

KMS keys cannot be recovered once deleted. Data encrypted under a KMS key is also permanently unrecoverable if the KMS key is deleted. If meaningful data has been encrypted under a KMS key scheduled for deletion, consider decrypting the data or re-encrypting the data under a new KMS key unless you are intentionally performing a cryptographic erasure.

When a KMS key is scheduled for deletion, a mandatory waiting period is enforced to allow time to reverse the deletion, if it was scheduled in error. The default waiting period is 30 days, but it can be reduced to as short as 7 days when the KMS key is scheduled for deletion. During the waiting period, the scheduled deletion can be canceled and the KMS key will not be deleted.

Similar

AWS Security Hub
- https://docs.aws.amazon.com/securityhub/latest/userguide/kms-controls.html#kms-3
Internal
- ID: dec-c-b213a9c2

Similar Sections (Give Policies To)

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 NIST SP 800-53 Revision 5 → 💼 SC-12 Cryptographic Key Establishment and Management	6	1	11		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-12(2) Cryptographic Key Establishment and Management _ Symmetric Keys		1	4		no data

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance

Policies (1)

Policy	Logic Count	Flags	Compliance
🛡️ AWS KMS CMK is scheduled for deletion🟢	1	🟢 x6	no data

Description​

Similar​

Similar Sections (Give Policies To)​

Sub Sections​

Policies (1)​

Description

Similar

Similar Sections (Give Policies To)

Sub Sections

Policies (1)