When the key is the data: racing the KMS destruction window on CMEK backups
Destroying the CMEK that encrypts backups makes them unrecoverable, both data denial and extortion leverage. KMS schedules destruction, so the window is your recovery chance.
In a cloud where data is encrypted with customer-managed keys, the key is the data. Destroy the key and the backups it protects are gone, which makes it both destruction and extortion leverage.
How the attack works
An attacker who has obtained rights over Cloud KMS calls DestroyCryptoKeyVersion on the CryptoKey versions that encrypt production backups and data via CMEK. KMS does not destroy a version instantly: it moves the versions to SCHEDULED_FOR_DESTRUCTION and holds them for a configurable window during which they can be restored. Restore attempts against the encrypted backups start failing, and an extortion note arrives demanding payment before the window expires. The DestroyCryptoKeyVersion calls and the scheduled state are recorded in always-on Admin Activity logs. In ATT&CK terms this is T1485, Data Destruction, paired with T1490, Inhibit System Recovery.
Why it works
Destruction was a single-identity, low-friction action. One identity with KMS rights could schedule destruction of the keys protecting every backup, turning a permission gap into total data denial.
How to fix it
The destruction window is the recovery opportunity, so containment is a race. Restore the SCHEDULED_FOR_DESTRUCTION versions before the window closes to re-enable decryption, and immediately revoke the attacker’s KMS permissions so they cannot re-schedule destruction. A brand-new key cannot decrypt data the old version protected, disabling the keyring still loses access, and paying does not return control of the key. For the root cause, gate KMS destroy and admin permissions behind break-glass with approval, separate key admins from data owners, set a longer destruction window that favors the defender, and alert on every DestroyCryptoKeyVersion. Treat it as both availability loss and a breach question, and engage legal and law enforcement rather than relying on payment.
Practice it
We built this as a GraphLattice Range scenario so responders can rehearse restoring scheduled key versions inside the window, cutting KMS access against the clock, and mapping the targeted keys to the backups they protect.