Ensure there is an Amazon CloudWatch alarm created and configured in your AWS account to fire each time an AWS CMK configuration change is made. This CloudWatch alarm must be triggered every time an AWS API call is performed to Disable Key, or Schedule Key Deletion.
Using Amazon CloudWatch alarms to detect environment configuration changes involving your AWS KMS Customer Master Keys will help you prevent any accidental or intentional modifications that may lead to unprotected data access or other security breaches.
Note 1: For this rule Cloud Conformity assumes that the CloudTrail service is already enabled to stream event log data to CloudWatch within your AWS account, otherwise see this rule
to enable AWS Cloudtrail – CloudWatch integration.
Note 2: You have also the option to implement this conformity rule with AWS CloudFormation. Download the required CloudFormation template from this URL and follow the AWS instructions available here.
To determine if there are any CloudWatch alarms set up to monitor AWS CMK configuration changes within your AWS account, perform the following:
Step 1: Create a Simple Notification Service (SNS) topic and the necessary subscription to send email notifications whenever the appropriate Amazon CloudWatch alarm is triggered:
Step 2: Create the necessary metric filter and the CloudWatch alarm that will fire and send email notifications whenever an AWS CMK configuration will change: