Disabled or Scheduled Deletion of CMK
- Former user (Deleted)
According to AWS, customer master keys (CMK) are the primary resources in key management and the equivalent of a master key. These encryption keys are used for encryption and decryption of resources and to keep these items secure. An account owner can opt-in for managing the key themselves or have Amazon handle the workload. In the event that the account owner handles all tasks related to the key, they'll have the option to disable or delete a master key.
The CMK is of the highest importance since subsequent keys created in the account owners environment derive from the CMK. If something were to happen to the CMK, the user would no longer be able to access their resources. CUIT monitors for attempts at changing the state of the CMK from 'enabled' to 'scheduled for deletion.' As an effective method of performing a denial of service attack, a malicious user can cause serious harm by locking an account owner out of their resources permanently. The exact effect from AWS is described as:
"Deleting a CMK is a destructive and potentially dangerous operation. When a CMK is deleted, all data that was encrypted under the CMK is unrecoverable. To prevent the use of a CMK without deleting it, use DisableKey."
https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/cli/latest/reference/kms/schedule-key-deletion.html