Overview

A CloudWatch Alarm that triggers if customer created CMKs get disabled or scheduled for deletion.

Prerequisites: This Alarm requires CloudTrail enabled, with events sent to a CloudWatch Log Group. See Related Configuration Items for configuration to enable CloudTrail/CloudWatch, or enter the CloudWatch Log Group name under the Metric Filter Configuration section.

Configuration Templates

Items
3
Size
1.2 KB
Missing Parameters
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
  SnsTopic:
    Type: 'AWS::SNS::Topic'
    Properties:
      Subscription:
        - Endpoint: email@example.com
          Protocol: email
      TopicName: alarm-action
  CloudWatchAlarm:
    Type: 'AWS::CloudWatch::Alarm'
    Properties:
      AlarmName: disabled_deleted_cmks
      AlarmDescription: >-
        A CloudWatch Alarm that triggers if customer created CMKs get disabled
        or scheduled for deletion.
      MetricName: KMSCustomerKeyDeletion
      Namespace: CloudTrailMetrics
      Statistic: Sum
      Period: '60'
      EvaluationPeriods: '1'
      Threshold: '1'
      ComparisonOperator: GreaterThanOrEqualToThreshold
      AlarmActions:
        - Ref: SnsTopic
      TreatMissingData: notBreaching
  MetricFilter:
    Type: 'AWS::Logs::MetricFilter'
    Properties:
      LogGroupName: ''
      FilterPattern: >-
        { ($.eventSource = kms.amazonaws.com) &&  (($.eventName=DisableKey) ||
        ($.eventName=ScheduleKeyDeletion)) }
      MetricTransformations:
        - MetricValue: '1'
          MetricNamespace: CloudTrailMetrics
          MetricName: KMSCustomerKeyDeletion
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Configure Action

Metric Filter Configuration


Alarm Configuration

* Required field

Sources and Documentation

Configuration Source: AWS Quickstart

Additional Documentation: