πΌ [KMS.3] AWS KMS keys should not be deleted unintentionally
- Contextual name: πΌ [KMS.3] AWS KMS keys should not be deleted unintentionally
- ID:
/frameworks/aws-fsbp-v1.0.0/kms/03 - Located in: πΌ Key Management Service (KMS)
Descriptionβ
KMS keys cannot be recovered once deleted. Data encrypted under a KMS key is also permanently unrecoverable if the KMS key is deleted. If meaningful data has been encrypted under a KMS key scheduled for deletion, consider decrypting the data or re-encrypting the data under a new KMS key unless you are intentionally performing a cryptographic erasure.
When a KMS key is scheduled for deletion, a mandatory waiting period is enforced to allow time to reverse the deletion, if it was scheduled in error. The default waiting period is 30 days, but it can be reduced to as short as 7 days when the KMS key is scheduled for deletion. During the waiting period, the scheduled deletion can be canceled and the KMS key will not be deleted.
Similarβ
- AWS Security Hub
- Internal
- ID:
dec-c-b213a9c2
- ID:
Similar Sections (Give Policies To)β
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ NIST SP 800-53 Revision 5 β πΌ SC-12 Cryptographic Key Establishment and Management | 6 | 1 | 3 | |
| πΌ NIST SP 800-53 Revision 5 β πΌ SC-12(2) Cryptographic Key Establishment and Management _ Symmetric Keys | 1 | 1 |
Sub Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|