CCC.KeyMgmt.C01: Alert on Key-version Changes
Control ID:CCC.KeyMgmt.C01
Title:Alert on Key-version Changes
Objective:Generate near-real-time alerts when a KMS key version is disabled or scheduled for deletion, enabling rapid investigation and recovery.
Control Family:
Logging and Metrics Publication
Related Threats
| ID | Title | Description | External Mappings | Capability Mappings | Control Mappings |
|---|---|---|---|---|---|
| CCC.KeyMgmt.TH01 | Deletion or Disabling of Key Versions Causing Denial of Service or Data Loss | Disabling, scheduling deletion, or permanently purging KMS key versions that protect sensitive data can prevent required decryption or signing operations. Service interruption or irreversible data loss may occur if the key material is no longer recoverable. | 1 | 1 | 0 |
Related Capabilities
| ID | Title | Description |
|---|---|---|
| CCC.KeyMgmt.F14 | Key Versioning | Provides the ability to manage multiple versions of a key. |
| CCC.KeyMgmt.F16 | Disable key | Supports the ability to disable a managed key without deletion. |
| CCC.KeyMgmt.F18 | Soft Delete | Supports the ability to prevent the immediate deletion of a managed key. This includes the ability to recover accidental deletion of keys within a grace period. |
| CCC.KeyMgmt.F19 | Delete Key | Supports the ability to permanently delete a managed key after the grace period defined on soft delete. |