Help Center/ Config/ User Guide/ Resource Compliance/ Built-In Policies/ Cloud Eye/ Alarm Rules Have Been Configured for Key Disablement and Deletion
Updated on 2025-08-25 GMT+08:00

Alarm Rules Have Been Configured for Key Disablement and Deletion

Rule Details

Table 1 Rule details

Parameter

Description

Rule Name

alarm-kms-disable-or-delete-key

Identifier

Alarm Rules Have Been Configured for Key Disablement and Deletion

Description

If there are no alarm rules configured for disabling or deleting KMS keys, the check result is non-compliant.

Tag

ces, kms

Trigger Type

Periodic

Filter Type

Account

Rule Parameters

None

Application Scenarios

You can set alarm rules for key metrics of cloud services. When the conditions in the alarm rule are met, Cloud Eye sends email, or text message, or sends HTTP/HTTPS messages, enabling you to quickly respond to resource changes. For details, see Alarm Overview.

For details about the events supported by Cloud Eye, seeEvents Supported by Event Monitoring. You need to pay special attention to the "disableKey" and "scheduleKeyDeletion" events for KMS. If the key is disabled, data encrypted using the key cannot be decrypted, and the data will be permanently unavailable.

Solution

Create related alarm rules.

Rule Logic

  • If there are no alarm rules configured for disabling KMS or deleting keys, this rule is non-compliant.
  • If there are alarm rules configured for disabling KMS or deleting keys, this rule is compliant.