Checks whether the status of a Key Management Service (KMS) customer master key (CMK) is set to pending deletion. If the status of the KMS CMK is not set to pending deletion, the configuration is considered compliant.
Scenarios
You can enable this rule to ensure that the status of a CMK in use is not set to pending deletion. This prevents business disruption that can be caused by accidental deletion of the CMK.
Risk level
Default risk level: medium.
When you configure this rule, you can change the risk level based on your business requirements.
Compliance evaluation logic
- If the status of a CMK in use is not set to pending deletion, the configuration is considered compliant.
- If the status of a CMK in use is set to pending deletion, the configuration is considered non-compliant. For more information about how to remediate the non-compliant configuration, see Non-compliance remediation.
Rule details
| Item | Description |
|---|---|
| Rule name | kms-key-state-not-pending-deletion |
| Rule ID | kms-key-state-not-pending-deletion |
| Tag | KMS and Secret |
| Automatic remediation | Not supported |
| Trigger type | Configuration change |
| Supported resource type | KMS CMKs |
| Input parameter | None |
Non-compliance remediation
Withdraw the application to delete a CMK. For more information, see Schedule a key deletion task.