DisableKey
Event
Disables a KMS encryption key, preventing any operations that depend on it until the key is re-enabled.
Security Context
- Disabling a KMS key renders all data encrypted with that key inaccessible, causing immediate disruption to dependent services including S3, EBS, RDS, and other AWS resources.
- This technique mirrors ransomware patterns in cloud environments where adversaries disable or schedule deletion of encryption keys to hold data hostage or cause maximum operational impact.
Log Source
CloudTrail
Sample Event
MITRE ATT&CK Mapping
Tactics: Impact
Techniques:
- T1489 — Service Stop — Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.