Generate near-real-time alerts when a KMS key version is disabled or scheduled for deletion, enabling rapid investigation and recovery.
Crypto / Key / Controls / DEV
Alert on Key-version Changes
CCC.KeyMgmt.CN01 · Observability
Related Capabilities
| ID | Title | Description |
|---|---|---|
| CCC.KeyMgmt.CP14 | Key Versioning | Provides the ability to manage multiple versions of a key. |
| CCC.KeyMgmt.CP16 | Disable key | Supports the ability to disable a managed key without deletion. |
| CCC.KeyMgmt.CP18 | Soft Delete | Supports the ability to prevent the immediate deletion of a managed key. This includes the ability to recover accidental deletion of keys within a grace period. |
| CCC.KeyMgmt.CP19 | Delete Key | Supports the ability to permanently delete a managed key after the grace period defined on soft delete. |
Related Threats
| ID | Title | Description |
|---|---|---|
| CCC.KeyMgmt.TH01 | Deletion or Disabling of Key Versions Causing Denial of Service or Data Loss | Disabling, scheduling deletion, or permanently purging KMS key versions that protect sensitive data can prevent required decryption or signing operations. Service interruption or irreversible data loss may occur if the key material is no longer recoverable. |
Assessment Requirements
| ID | Text | Applicability |
|---|---|---|
| CCC.KeyMgmt.CN01.AR01 | When a key version is scheduled for deletion or disabled, an alert MUST be generated within five minutes. | tlp-amber, tlp-red |