DisableKey
AWS
DisableKey
Event
Disables a KMS encryption key, preventing any operations that depend on it until the key is re-enabled.
Security Context
- Disabling a KMS key renders all data encrypted with that key inaccessible, causing immediate disruption to dependent services including S3, EBS, RDS, and other AWS resources.
- This technique mirrors ransomware patterns in cloud environments where adversaries disable or schedule deletion of encryption keys to hold data hostage or cause maximum operational impact.
Log Source
CloudTrail
Sample Event
Adversarial. Draco disables the prod KMS data key (60000000-0000-4000-8000-000000000001) used to encrypt OCCAMY ingest data and PHOENIX backup snapshots. With the key disabled, every dependent service immediately throws KMSDisabledException on read/write — a textbook cloud-ransomware impact pattern (T1489: Service Stop). The blast radius spans S3 (NIFFLER PII partition), EBS, and RDS in us-east-1.
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDADRAC0MALF0YBADGY", "arn": "arn:aws:iam::555123456789:user/draco", "accountId": "555123456789", "accessKeyId": "AKIADRAC0MALF0YEXAMP5", "userName": "draco", "sessionContext": { "attributes": { "creationDate": "2026-04-15T20:02:11Z", "mfaAuthenticated": "false" } } }, "eventTime": "2026-04-15T20:31:18Z", "eventSource": "kms.amazonaws.com", "eventName": "DisableKey", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6", "requestParameters": { "keyId": "60000000-0000-4000-8000-000000000001" }, "responseElements": { "keyId": "arn:aws:kms:us-east-1:555123456789:key/60000000-0000-4000-8000-000000000001" }, "requestID": "90000000-0000-4000-8000-000100110000", "eventID": "90000000-0000-4000-8000-000100110001", "readOnly": false, "resources": [ { "accountId": "555123456789", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-east-1:555123456789:key/60000000-0000-4000-8000-000000000001" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "kms.us-east-1.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Impact
Techniques:
- T1489 — Service Stop — Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.