Cloud KMS Key Version Destroyed

This alert occurs when Lacework FortiCNAPP detects a version of a cloud Key Management Service (KMS) key was destroyed.

Cloud KMS is a service that allows you to manage cryptographic keys for your cloud resources and applications. When a key version is destroyed, the key is no longer available for use and cannot be recovered.

Related policy: LW_AT_RESOURCE_177: Cloud KMS Key Version Destroyed

Why this alert is important

This alert is important for several reasons:

• Security: Cryptographic keys are a critical component of security in any cloud environment. If a key version is destroyed without proper authorization, it can compromise the safety of the data it protects. By monitoring this alert, you can detect any unauthorized or suspicious activity related to key destruction and take appropriate action to protect your data.
• Compliance: Many regulatory requirements, such as PCI-DSS and HIPAA, require organizations to have strict controls over cryptographic keys. Monitoring this alert can help you demonstrate compliance with these requirements and avoid potential fines or other penalties.
• Disaster recovery: If a key version is accidentally or maliciously destroyed, it can result in data loss or downtime. By monitoring this alert, you can detect and respond to these incidents quickly, minimizing the impact on your business operations.
• Auditing: Monitoring key version disposal operations provides a record of who performed the action, when, and which key version was destroyed. This information can be used for auditing purposes to ensure that key destruction is performed in a controlled and authorized manner.

Investigation

Follow these steps to investigate the alert:

1. Review the Audit Logs to identify the user or service account that performed the key version disposal and any associated activity that may have occurred around the same time.
2. Review the IAM Logs to identify any changes made to permissions or roles that may have allowed the user or service account to perform the key version disposal.
3. Review network logs to identify any unusual network traffic or activity around the time of the key version disposal. This may help you identify the source of the attack or any other suspicious activity.
4. Review the activity of any users or service accounts with access to the destroyed key version. Look for any unusual or suspicious activity, such as changes to permissions or other key management operations.
5. Conduct forensic analysis of the system or systems where the key version was stored to identify signs of compromise or unauthorized access.
6. Report the incident to your organization's security team or Google Cloud Support to ensure appropriate measures are taken to prevent similar incidents.

Resolution

Use the following steps to resolve an unauthorized cloud KMS key version disposal:

1. If the user or service account responsible for the key version disposal still has access to your Google Cloud environment, revoke their access immediately to prevent further damage or data loss.
2. If you have a backup of the destroyed key version, restore it as soon as possible to ensure that your data remains protected.
3. If the destroyed key version was used to encrypt sensitive data, rotate the keys associated with that data to ensure that it remains protected.
4. Review and change the permissions associated with your cloud KMS keys to ensure that only authorized users or service accounts can access them.
5. Conduct a thorough investigation of other systems or resources the incident may have impacted to identify potential security issues.