Skip to content

DisableKey

AWS

DisableKey

service: AWS - KMS
tactics:
techniques:

Event

Disables a KMS encryption key, preventing any operations that depend on it until the key is re-enabled.

Security Context

  • Disabling a KMS key renders all data encrypted with that key inaccessible, causing immediate disruption to dependent services including S3, EBS, RDS, and other AWS resources.
  • This technique mirrors ransomware patterns in cloud environments where adversaries disable or schedule deletion of encryption keys to hold data hostage or cause maximum operational impact.

Log Source

CloudTrail

Sample Event

Adversarial. Draco disables the prod KMS data key (60000000-0000-4000-8000-000000000001) used to encrypt OCCAMY ingest data and PHOENIX backup snapshots. With the key disabled, every dependent service immediately throws KMSDisabledException on read/write — a textbook cloud-ransomware impact pattern (T1489: Service Stop). The blast radius spans S3 (NIFFLER PII partition), EBS, and RDS in us-east-1.

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDADRAC0MALF0YBADGY",
"arn": "arn:aws:iam::555123456789:user/draco",
"accountId": "555123456789",
"accessKeyId": "AKIADRAC0MALF0YEXAMP5",
"userName": "draco",
"sessionContext": {
"attributes": {
"creationDate": "2026-04-15T20:02:11Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-04-15T20:31:18Z",
"eventSource": "kms.amazonaws.com",
"eventName": "DisableKey",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6",
"requestParameters": {
"keyId": "60000000-0000-4000-8000-000000000001"
},
"responseElements": {
"keyId": "arn:aws:kms:us-east-1:555123456789:key/60000000-0000-4000-8000-000000000001"
},
"requestID": "90000000-0000-4000-8000-000100110000",
"eventID": "90000000-0000-4000-8000-000100110001",
"readOnly": false,
"resources": [
{
"accountId": "555123456789",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-east-1:555123456789:key/60000000-0000-4000-8000-000000000001"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "kms.us-east-1.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Impact

Techniques:
  • T1489 — Service Stop — Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.