Key Status Check
Rule Details
Parameter |
Description |
---|---|
Rule Name |
kms-not-scheduled-for-deletion |
Identifier |
Key Status Check |
Description |
If a KMS key is in Pending deletion state, this key is non-compliant. |
Tag |
kms |
Trigger Type |
Configuration change |
Filter Type |
kms.keys |
Rule Parameters |
None |
Application Scenarios
A key will not be deleted until its scheduled deletion period expires. You can set the period to 7 to 1096 days. The key is in the Pending deletion state.
A deleted key cannot be recovered. If a KMS key is deleted, the data encrypted using the key cannot be recovered. Services depending on this data may be interrupted. You need to check the keys in Pending deletion state to avoid accidental deletion.
Use secure networks, such as VPN, instead of EIP networks to transmit data. Reduce the attack surface and improve the security of the data synchronization network by configuring firewalls, security groups, and ACL rules. For details, see Security Best Practices.
Solution
If the key is deleted by mistake, immediately cancel the scheduled deletion for a key.
If you are sure that the key should be deleted, ignore the non-compliance result of the key until the key is deleted. If you do not want the rule to evaluate keys that are expected to be deleted, add a tag to the KMS keys and use the tag in the compliance rule to filter out (policy_filter) the keys. For details, see Compliance Rule Concepts.
Rule Logic
- If a KMS key is in Pending deletion state, this key is non-compliant.
- If a KMS key is not in Pending deletion state, this key is compliant.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot