Oh No! Someone deleted my KMS Key!

  • 7 March 2024
  • 1 comment

Userlevel 3

Recently @Julia F Morgado and I have released a blog post talking on the Best Practices to a secure AWS environment.


In this guide, we emphasize the significance of data encryption and utilizing the AWS Key Management Service (KMS). Encrypting data is crucial to thwart unauthorized access, and when combined with immutability, it not only protects against data theft and misuse but also guards against the malicious deletion of data.

There’s also a third risk even with those two practices that I would like to share, which is the KMS key being deleted.  Say you’ve done everything right and encrypted your immutable backups with a key, then your production and/or other copy of the data (3-2-1 rule, right?) have been attacked, locked or encrypted, and someone have deleted the KMS key to your backups, how will you recover?

Andreas Wittig from Cloudonaut wrote an interesting scenario where a combination of some pre-conditions could lead to someone being able to take control and delete someone else’s key.

The narrative presents a scenario where an AWS account owner with AdministratorAccess, creates a customer-managed key with a restrictive key policy. However, another user, also having AdministratorAccess, circumvents the policy to delete the key using a multi-step process involving IAM user deletion, account information manipulation, and AWS support engagement.

Mitigations suggested for AWS customers involve restricting access to change contact information with account:PutContactInformation using service control policies (SCPs).

This additional precaution helps safeguard against potential vulnerabilities related to the deletion of KMS keys.

1 comment

Userlevel 7
Badge +21

Very interesting guide. Look forward to reading it.