Logging and monitoring

Unmonitored KMS events

Risk Level

Informational (4)

Platform(s)
Compliance Frameworks

Description

Ensure that KMS configuration changes are monitored correctly in AWS CloudWatch.
  • Recommended Mitigation

    It is recommended to monitor configuration changes in AWS KMS. The changes which need to be monitored are: CreateAlias, CreateGrant, CreateKey, EnableKey, EnableKeyRotation, ImportKeyMaterial, PutKeyPolicy, RetireGrant, RevokeGrant, ScheduleKeyDeletion, TagResource, UntagResource, UpdateAlias, UpdateKeyDescription, DisableKey, DisableKeyRotation, CancelKeyDeletion, DeleteAlias, DeleteImportedKeyMaterial.