Unusual AWS S3 Object Encryption with SSE-C
Compromised AWS credentials are used to encrypt S3 objects using Server-Side Encryption with Customer-Provided Keys (SSE-C), rendering the objects unreadable without the attacker's key, potentially leading to data loss or extortion.
This rule identifies potentially malicious use of Server-Side Encryption with Customer-Provided Keys (SSE-C) within AWS S3. An attacker with compromised AWS credentials can use SSE-C to encrypt objects in an S3 bucket, effectively locking out legitimate users who do not possess the customer-provided key. This can be a ransomware tactic to extort the bucket owner or simply disrupt operations by making data inaccessible. The detection focuses on identifying first-time usage of SSE-C for a specific user and target bucket. The original rule was created on 2025/01/15, and updated on 2026/04/10.
Attack Chain
- An attacker gains unauthorized access to an AWS account, potentially through credential stuffing, phishing, or exploiting vulnerabilities in EC2 instances.
- The attacker enumerates S3 buckets accessible with the compromised credentials.
- The attacker uses the
PutObjectAPI call to upload or modify an object within a target S3 bucket. - The attacker specifies the
x-amz-server-side-encryption-customer-algorithmparameter within thePutObjectrequest, setting its value toAES256to enable SSE-C. - The attacker also provides the
x-amz-server-side-encryption-customer-keyandx-amz-server-side-encryption-customer-key-MD5headers with the SSE-C encryption key and its MD5 hash, respectively. - The S3 service encrypts the object using the provided key. The legitimate owners are now unable to access the objects without the attacker's encryption key.
- The attacker may upload a ransom note to the bucket, informing the victim of the encryption and demanding payment for the decryption key.
- The attacker may delete the original, unencrypted objects after successfully encrypting them.
Impact
A successful attack can lead to significant data unavailability, requiring restoration from backups or payment of a ransom to the attacker. The number of affected objects and buckets depends on the scope of the compromised credentials. Sectors handling sensitive data (e.g., healthcare, finance) are particularly vulnerable. The impact could range from operational disruption to severe financial losses and reputational damage.
Recommendation
- Enable AWS S3 data event logging in CloudTrail to monitor
PutObjectAPI calls (setup). - Deploy the Sigma rule "Detect S3 SSE-C Encryption" to identify potentially malicious encryption activity (rules). Tune the rule based on your environment's legitimate SSE-C usage.
- Investigate any alerts triggered by the Sigma rule, focusing on identifying the user, source IP, and targeted bucket (rules).
- Monitor for new or unusual IAM users or roles associated with S3 bucket access (references).
- Review and tighten IAM policies to limit access to S3 buckets to only authorized users and roles (references).
- Implement multi-factor authentication (MFA) for all AWS accounts to reduce the risk of credential compromise (references).
Detection coverage 2
Detect S3 SSE-C Encryption
highDetects the use of Server-Side Encryption with Customer-Provided Keys (SSE-C) in AWS S3 PutObject events, which may indicate ransomware activity.
Detect S3 SSE-C Encryption - First Time Use by User
highDetects the first time a user utilizes Server-Side Encryption with Customer-Provided Keys (SSE-C) in AWS S3 PutObject events within a 7 day window.
Detection queries are available on the platform. Get full rules →