Query: Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys

Description

You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for customer managed keys that have changed state to disabled or scheduled deletion. Data encrypted with disabled or deleted keys is no longer accessible.

Query

Tables used in this query:

• aws_account
• aws_cloudtrail_trail
• aws_cloudwatch_alarm
• aws_cloudwatch_log_metric_filter
• aws_sns_topic_subscription

Controls using this query:

• 3.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
• 4.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
• 4.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
• 4.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
• 4.7 Ensure disabling or scheduled deletion of customer created CMKs is monitored
• 4.7 Ensure disabling or scheduled deletion of customer created CMKs is monitored
• 4.7 Ensure disabling or scheduled deletion of customer created CMKs is monitored
• 4.7 Ensure disabling or scheduled deletion of customer created CMKs is monitored
• Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys

SQL