cscli scenarios install crowdsecurity/aws-cis-benchmark-kms-deletionDetects disabling or scheduled deletion creation for AWS KMS keys (Section 4.7 of CIS AWS Foundation Benchmark 1.4.0 ).
1type: trigger2name: crowdsecurity/aws-cis-benchmark-kms-deletion3description: "Detect AWS KMS key deletion"4filter: |5 evt.Meta.log_type == 'aws-cloudtrail' &&6 evt.Unmarshaled.cloudtrail.eventSource == "kms.amazonaws.com" &&7 (evt.Meta.event_name == "DisableKey" || evt.Meta.event_name == "ScheduleKeyDeletion")8labels:9 confidence: 310 spoofable: 011 classification:12 - attack.T148513 behavior: "cloud:audit"14 label: "AWS KMS indicator removal"15 service: aws16 cti: false17 remediation: false18