Loading controls...
Control: Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys
Description
You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for customer managed keys that have changed state to disabled or scheduled deletion. Data encrypted with disabled or deleted keys is no longer accessible.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.log_metric_filter_disable_or_delete_cmk
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.log_metric_filter_disable_or_delete_cmk --share
SQL
This control uses a named query:
log_metric_filter_disable_or_delete_cmk