Skip to content

ScheduleKeyDeletion

AWS

ScheduleKeyDeletion

service: AWS - KMS
techniques:

Event

Schedules a KMS customer managed key for deletion after a waiting period (7-30 days), after which encrypted data is unrecoverable.

Security Context

  • Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
  • Destructive deletion of cloud resources can cause significant operational disruption, data loss, and extended recovery times.

Log Source

CloudTrail

Sample Event

Adversarial. Draco schedules deletion of the prod log-archive KMS key (60000000-0000-4000-8000-000000000010) used to encrypt CloudTrail logs in the fantasticlogs-cloudtrail S3 bucket. Sets PendingWindowInDays: 7 (the minimum) to maximize damage. Once the deletion completes, every CloudTrail log file encrypted by that CMK becomes ciphertext-only — destroying forensic evidence of the rest of the intrusion. T1485 (data destruction via key destruction) + T1685 (Disable or Modify Tools).

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDADRAC0MALF0YBADGY",
"arn": "arn:aws:iam::555123456789:user/draco",
"accountId": "555123456789",
"accessKeyId": "AKIADRAC0MALF0YEXAMP5",
"userName": "draco",
"sessionContext": {
"attributes": {
"creationDate": "2026-04-15T18:51:02Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-04-15T20:08:42Z",
"eventSource": "kms.amazonaws.com",
"eventName": "ScheduleKeyDeletion",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6",
"requestParameters": {
"keyId": "arn:aws:kms:us-east-1:555123456789:key/60000000-0000-4000-8000-000000000010",
"pendingWindowInDays": 7
},
"responseElements": {
"keyId": "arn:aws:kms:us-east-1:555123456789:key/60000000-0000-4000-8000-000000000010",
"deletionDate": "Apr 22, 2026 8:08:42 PM",
"keyState": "PendingDeletion",
"pendingWindowInDays": 7
},
"requestID": "90000000-0000-4000-8000-000110100100",
"eventID": "90000000-0000-4000-8000-000110100101",
"readOnly": false,
"resources": [
{
"accountId": "555123456789",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-east-1:555123456789:key/60000000-0000-4000-8000-000000000010"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "kms.us-east-1.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Impact Defense Impairment

Techniques:
  • T1485 — Data Destruction — Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and r...
  • T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...