CloudWatch Alarms and Event Rules: KMS CMKs Disabled or Deleted Alarm

My Saved Presets

A CloudWatch Alarm that triggers if customer created CMKs get disabled or scheduled for deletion.

Prerequisites: This Alarm requires CloudTrail enabled, with events sent to a CloudWatch Log Group. See Related Configuration Items for configuration to enable CloudTrail/CloudWatch, or enter the CloudWatch Log Group name under the Metric Filter Configuration section.

Items

Size

1.2 KB

Missing Parameters

YAML/JSON

AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
  SnsTopicMetricFilterCloudWatchAlarm:
    Type: 'AWS::SNS::Topic'
    Properties:
      Subscription:
        - Endpoint: email@example.com
          Protocol: email
      TopicName: alarm-action
  CloudWatchAlarm:
    Type: 'AWS::CloudWatch::Alarm'
    Properties:
      AlarmName: disabled_deleted_cmks
      AlarmDescription: A CloudWatch Alarm that triggers if customer created CMKs get disabled or scheduled for deletion.
      MetricName: KMSCustomerKeyDeletion
      Namespace: CloudTrailMetrics
      Statistic: Sum
      Period: '60'
      EvaluationPeriods: '1'
      Threshold: '1'
      ComparisonOperator: GreaterThanOrEqualToThreshold
      AlarmActions:
        - Ref: SnsTopicMetricFilterCloudWatchAlarm
      TreatMissingData: notBreaching
  MetricFilterCloudWatchAlarm:
    Type: 'AWS::Logs::MetricFilter'
    Properties:
      LogGroupName: ''
      FilterPattern: '{ ($.eventSource = kms.amazonaws.com) &&  (($.eventName=DisableKey) || ($.eventName=ScheduleKeyDeletion)) }'
      MetricTransformations:
        - MetricValue: '1'
          MetricNamespace: CloudTrailMetrics
          MetricName: KMSCustomerKeyDeletion
Parameters: {}
Metadata: {}
Conditions: {}

* Required field

Loading Library ...

KMS CMKs Disabled or Deleted Alarm

Actions

Customize Template

Action Settings

Metric Filter Settings

Alarm Configuration