KMS Key Protection

Policy Description

What this SCP does

This Service Control Policy (SCP) prevents deletion or disabling of KMS keys, protecting the encryption infrastructure that secures your data. This ensures encryption keys remain available for data decryption.

By blocking attempts to schedule key deletion or disable existing KMS keys, this policy ensures that encrypted data remains accessible and prevents accidental or malicious attempts to compromise the encryption infrastructure of your organization.

Validation Strategy

How to test this SCP works

To validate this SCP, create a KMS key and attempt to delete or disable it.

Valid test: Create a new KMS key (should succeed)
Invalid test: Schedule deletion of the KMS key (should be denied)
Invalid test: Disable the KMS key (should be denied)

We expect attempts to schedule key deletion or disable keys to be denied with AccessDenied errors. This confirms that the SCP is preserving the accessibility of encryption infrastructure.

SCP Policy & Validation Scenarios

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyKMSKeyModification",
      "Effect": "Deny",
      "Action": [
        "kms:ScheduleKeyDeletion",
        "kms:DisableKey"
      ],
      "Resource": "*"
    }
  ]
}

# Create a KMS key (if allowed)
aws kms create-key --description "Test SCP Key"

# Save the key ID (replace with your actual key ID from create-key output)
KEY_ID="1234abcd-12ab-34cd-56ef-1234567890ab"

# Try to schedule key deletion (this should be denied)
aws kms schedule-key-deletion --key-id $KEY_ID --pending-window-in-days 7

# Try to disable the key (this should be denied)
aws kms disable-key --key-id $KEY_ID

import boto3

# Initialize KMS client
kms_client = boto3.client('kms')

# Create a KMS key
try:
    response = kms_client.create_key(Description='Test SCP Key')
    key_id = response['KeyMetadata']['KeyId']
    print(f"Created KMS key: {key_id}")
    
    # Try to schedule key deletion (this should be denied)
    try:
        kms_client.schedule_key_deletion(
            KeyId=key_id,
            PendingWindowInDays=7
        )
        print("WARNING: Key deletion scheduling succeeded, which means the SCP is NOT restricting as expected")
    except Exception as e:
        print(f"Expected error for key deletion if SCP is working: {e}")
    
    # Try to disable the key (this should be denied)
    try:
        kms_client.disable_key(KeyId=key_id)
        print("WARNING: Key disabling succeeded, which means the SCP is NOT restricting as expected")
    except Exception as e:
        print(f"Expected error for key disabling if SCP is working: {e}")
    
    # Note: If the SCP works, you'll need to remove it to clean up this key
    print(f"Note: If the SCP worked, you might need to remove it to schedule deletion of key {key_id}")
except Exception as e:
    print(f"Could not create KMS key: {e}")