Get Amazon SNS notifications when the key state of an AWS KMS key changes
Created by Shubham Harsora (AWS), Aromal Raj Jayarajan (AWS), and Navdeep Pareek (AWS)
Summary
The data and metadata associated with an AWS Key Management Service (AWS KMS) key is lost when that key is deleted. The deletion is irreversible and you can't recover lost data (including encrypted data). You can prevent data loss by setting up a notification system to alert you of status changes to key states of your AWS KMS keys.
This pattern shows you how to monitor status changes to AWS KMS keys by using Amazon EventBridge and Amazon Simple Notification Service (Amazon SNS) to issue automated notifications whenever the key state of an AWS KMS key changes to Disabled
or PendingDeletion
. For example, if a user tries to disable or delete an AWS KMS key, you will receive an email notification with details about the attempted status change. You can also use this pattern to schedule the deletion of AWS KMS keys.
Prerequisites and limitations
Prerequisites
An active AWS account with an AWS Identity and Access Management (IAM) user
An AWS KMS key
Architecture
Technology stack
Amazon EventBridge
AWS Key Management Service (AWS KMS)
Amazon Simple Notification Service (Amazon SNS)
Target architecture
The following diagram shows an architecture for building an automated monitoring and notification process for detecting any changes to the state of an AWS KMS key.
The diagram shows the following workflow:
A user disables or schedules the deletion of an AWS KMS key.
An EventBridge rule evaluates the scheduled
Disabled
orPendingDeletion
event.The EventBridge rule invokes the Amazon SNS topic.
Amazon SNS sends an email notification message to the users.
Note
You can customize the email message to meet your organization's needs. We recommend including information about the entities where the AWS KMS key is used. This can help users understand the impact of deleting the AWS KMS key. You can also schedule a reminder email notification that's sent one or two days before the AWS KMS key is deleted.
Automation and scale
The AWS CloudFormation stack deploys all the necessary resources and services for this pattern to work. You can implement the pattern independently in a single account, or by using AWS CloudFormation StackSets for multiple independent accounts or organizational units in AWS Organizations.
Tools
AWS CloudFormation helps you set up AWS resources, provision them quickly and consistently, and manage them throughout their lifecycle across AWS accounts and AWS Regions. The CloudFormation template for this pattern describes all the AWS resources that you want, and CloudFormation provisions and configures those resources for you.
Amazon EventBridge is a serverless event bus service that helps you connect your applications with real-time data from a variety of sources. EventBridge delivers a stream of real-time data from your own applications and AWS services, and it routes that data to targets such as AWS Lambda. EventBridge simplifies the process of building event-driven architectures.
AWS Key Management Service (AWS KMS) helps you create and control cryptographic keys to help protect your data.
Amazon Simple Notification Service (Amazon SNS) helps you coordinate and manage the exchange of messages between publishers and clients, including web servers and email addresses.
Code
The code for this pattern is available in the GitHub Monitor AWS KMS keys disable and scheduled deletion
Epics
Task | Description | Skills required |
---|---|---|
Clone the repository. | Clone the GitHub Monitor AWS KMS keys disable and scheduled deletion
| AWS administrator, Cloud architect |
Update the template's parameters. | In a code editor, open the
| AWS administrator, Cloud architect |
Deploy the CloudFormation template. |
| AWS administrator, Cloud architect |
Task | Description | Skills required |
---|---|---|
Confirm the subscription email. | After the CloudFormation template successfully deploys, Amazon SNS sends a subscription confirmation message to the email address that you provided in the CloudFormation template. To receive notifications, you must confirm this email subscription. For more information, see Confirm the subscription in the Amazon SNS Developer Guide. | AWS administrator, Cloud architect |
Task | Description | Skills required |
---|---|---|
Disable AWS KMS keys. |
| AWS administrator |
Validate the subscription. | Confirm that you received the Amazon SNS notification email. | AWS administrator |
Task | Description | Skills required |
---|---|---|
Delete the CloudFormation stack. |
| AWS administrator |
Related resources
AWS CloudFormation
(AWS documentation) Creating a stack on the AWS CloudFormation console (AWS CloudFormation documentation)
Building event-driven architectures on AWS
(AWS Workshop Studio documentation) AWS Key Management Service Best Practices
(AWS Whitepaper) Security best practices for AWS Key Management Service (AWS KMS Developer Guide)
Additional information
Amazon SNS provides in-transit encryption by default. To align with security best practices, you can also enable server-side encryption for Amazon SNS by using an AWS KMS customer managed key.