By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubAWS Network FirewallRoute53 Resolver SecurityAmazon MacieS3 Bucket PoliciesCloudWatch Alarms and Event RulesAWS WAFAWS Secrets ManagerAWS Systems ManagerSecurity Groups & NACLsAWS KMSIAM Policies

By Service Protected

Configuration Packages

Strategy Guides

Other

CloudWatch Alarms and Event Rules

Detect and Notify on KMS CMK Operations

A CloudWatch Event Rule that detects KMS Customer Master Key (CMK) changes and publishes change events to an SNS topic for notification. Events include key creation, deletion, or key enabling/disabling operations, imported key material operations, as well as updates to CMK key policies.

AWS Quickstart
Items
3
Size
2.3 KB
AWSTemplateFormatVersion: "2010-09-09"
Description: ""
Resources:
  EventRule:
    Type: "AWS::Events::Rule"
    Properties:
      Name: "detect-kms-cmk-operations"
      Description: "A CloudWatch Event Rule that detects KMS Customer Master Key (CMK) changes and publishes change events to an SNS topic for notification. Events include key creation, deletion, or key enabling/disabling operations, imported key material operations, as well as updates to CMK key policies."
      State: "ENABLED"
      Targets:
        - Arn:
            Ref: "SnsTopicEventRule"
          Id: "target-id1"
      EventPattern:
        detail-type:
          - "AWS API Call via CloudTrail"
        detail:
          eventSource:
            - "kms.amazonaws.com"
          eventName:
            - "DisableKey"
            - "ScheduleKeyDeletion"
            - "CancelKeyDeletion"
            - "CreateKey"
            - "CreateAlias"
            - "EnableKey"
            - "PutKeyPolicy"
            - "ImportKeyMaterial"
            - "DeleteImportedKeyMaterial"
  SnsTopicEventRule:
    Type: "AWS::SNS::Topic"
    Properties:
      Subscription:
        - Endpoint: "email@example.com"
          Protocol: "email"
      TopicName: "event-rule-action"
  SnsTopicPolicyEventRule:
    Type: "AWS::SNS::TopicPolicy"
    Properties:
      PolicyDocument:
        Statement:
          - Sid: "__default_statement_ID"
            Effect: "Allow"
            Principal:
              AWS: "*"
            Action:
              - "SNS:GetTopicAttributes"
              - "SNS:SetTopicAttributes"
              - "SNS:AddPermission"
              - "SNS:RemovePermission"
              - "SNS:DeleteTopic"
              - "SNS:Subscribe"
              - "SNS:ListSubscriptionsByTopic"
              - "SNS:Publish"
              - "SNS:Receive"
            Resource:
              Ref: "SnsTopicEventRule"
            Condition:
              StringEquals:
                AWS:SourceOwner:
                  Ref: "AWS::AccountId"
          - Sid: "TrustCWEToPublishEventsToMyTopic"
            Effect: "Allow"
            Principal:
              Service: "events.amazonaws.com"
            Action: "sns:Publish"
            Resource:
              Ref: "SnsTopicEventRule"
      Topics:
        - Ref: "SnsTopicEventRule"
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Customize Template

Rule Configuration

Target Details


* Required field