Get Amazon SNS notifications when the key state of an AWS KMS key changes - AWS Prescriptive Guidance

Get Amazon SNS notifications when the key state of an AWS KMS key changes

Created by Shubham Harsora (AWS), Aromal Raj Jayarajan (AWS), and Navdeep Pareek (AWS)

Summary

The data and metadata associated with an AWS Key Management Service (AWS KMS) key is lost when that key is deleted. The deletion is irreversible and you can't recover lost data (including encrypted data). You can prevent data loss by setting up a notification system to alert you of status changes to key states of your AWS KMS keys.

This pattern shows you how to monitor status changes to AWS KMS keys by using Amazon EventBridge and Amazon Simple Notification Service (Amazon SNS) to issue automated notifications whenever the key state of an AWS KMS key changes to Disabled or PendingDeletion. For example, if a user tries to disable or delete an AWS KMS key, you will receive an email notification with details about the attempted status change. You can also use this pattern to schedule the deletion of AWS KMS keys.

Prerequisites and limitations

Prerequisites

  • An active AWS account with an AWS Identity and Access Management (IAM) user

  • An AWS KMS key

Architecture

Technology stack

  • Amazon EventBridge

  • AWS Key Management Service (AWS KMS)

  • Amazon Simple Notification Service (Amazon SNS)

Target architecture

The following diagram shows an architecture for building an automated monitoring and notification process for detecting any changes to the state of an AWS KMS key.

Architecture for building an automated monitoring and notification process

The diagram shows the following workflow:

  1. A user disables or schedules the deletion of an AWS KMS key.

  2. An EventBridge rule evaluates the scheduled Disabled or PendingDeletion event.

  3. The EventBridge rule invokes the Amazon SNS topic.

  4. Amazon SNS sends an email notification message to the users.

Note

You can customize the email message to meet your organization's needs. We recommend including information about the entities where the AWS KMS key is used. This can help users understand the impact of deleting the AWS KMS key. You can also schedule a reminder email notification that's sent one or two days before the AWS KMS key is deleted.

Automation and scale

The AWS CloudFormation stack deploys all the necessary resources and services for this pattern to work. You can implement the pattern independently in a single account, or by using AWS CloudFormation StackSets for multiple independent accounts or organizational units in AWS Organizations.

Tools

  • AWS CloudFormation helps you set up AWS resources, provision them quickly and consistently, and manage them throughout their lifecycle across AWS accounts and AWS Regions. The CloudFormation template for this pattern describes all the AWS resources that you want, and CloudFormation provisions and configures those resources for you.

  • Amazon EventBridge is a serverless event bus service that helps you connect your applications with real-time data from a variety of sources. EventBridge delivers a stream of real-time data from your own applications and AWS services, and it routes that data to targets such as AWS Lambda. EventBridge simplifies the process of building event-driven architectures.

  • AWS Key Management Service (AWS KMS) helps you create and control cryptographic keys to help protect your data.

  • Amazon Simple Notification Service (Amazon SNS) helps you coordinate and manage the exchange of messages between publishers and clients, including web servers and email addresses.

Code

The code for this pattern is available in the GitHub Monitor AWS KMS keys disable and scheduled deletion repository.

Epics

TaskDescriptionSkills required

Clone the repository.

Clone the GitHub Monitor AWS KMS keys disable and scheduled deletion repository to your local machine by running the following command:

git clone https://github.com/aws-samples/aws-kms-deletion-notification

AWS administrator, Cloud architect

Update the template's parameters.

In a code editor, open the Alerting-KMS-Events.yaml CloudFormation template that you cloned from the repository, and then update the following parameters:

  • For DestinationEmailAddress, enter an active email address that you plan to use for receiving the SNS notification.

  • For SNSTopicName, enter a name for your SNS topic.

AWS administrator, Cloud architect

Deploy the CloudFormation template.

  1. Sign in to the AWS Management Console and open the CloudFormation console.

  2. In the navigation pane, choose Create stack, and then choose With new resources (standard).

  3. On the Identify resources page, choose Next.

  4. On the Specify template page, for Template source, select Upload a template file.

  5. Choose Choose file, select the Alerting-KMS-Events.yaml file from your cloned GitHub repository, and then choose Next.

  6. For Stack name, enter your stack name.

  7. Choose Submit.

AWS administrator, Cloud architect
TaskDescriptionSkills required

Confirm the subscription email.

After the CloudFormation template successfully deploys, Amazon SNS sends a subscription confirmation message to the email address that you provided in the CloudFormation template.

To receive notifications, you must confirm this email subscription. For more information, see Confirm the subscription in the Amazon SNS Developer Guide.

AWS administrator, Cloud architect
TaskDescriptionSkills required

Disable AWS KMS keys.

  1. Sign in to the AWS Management Console and open theĀ AWS KMS console.

  2. To change the Region, choose the name of the currently displayed Region, and then choose the Region to which you want to switch.

  3. In the navigation pane, choose Customer managed keys.

  4. Select the check box for the AWS KMS key that you want to enable or disable.

  5. To disable the AWS KMS key, choose Key actions, and then choose Disable.

AWS administrator

Validate the subscription.

Confirm that you received the Amazon SNS notification email.

AWS administrator
TaskDescriptionSkills required

Delete the CloudFormation stack.

  1. Sign in to the AWS Management Console and open the CloudFormation console.

  2. In the navigation pane, choose Stacks.

  3. Select that stack that you created previously, and then choose Delete.

AWS administrator

Related resources

Additional information

Amazon SNS provides in-transit encryption by default. To align with security best practices, you can also enable server-side encryption for Amazon SNS by using an AWS KMS customer managed key.