Skip to content
Threat Feed
medium advisory

AWS KMS Key User Performing S3 Encryption Detection

Detection of AWS users utilizing KMS keys to perform encryption operations on S3 buckets, indicating potential misuse or malicious activity within the cloud environment.

This brief focuses on detecting potentially malicious or unauthorized use of AWS Key Management Service (KMS) keys to encrypt data stored in Simple Storage Service (S3) buckets. The detection logic is based on identifying AWS CloudTrail logs indicating encryption operations performed by users who possess KMS keys. While the provided source material does not specify a particular threat actor or campaign, the ability to monitor and detect such activity is crucial for identifying insider threats, compromised accounts, or misconfigured permissions that could lead to data breaches or unauthorized access. This detection capability is a part of the Splunk Enterprise Security Content Update (ESCU) project and allows security teams to quickly identify potentially suspicious activity in their AWS environments.

Attack Chain

  1. An attacker gains unauthorized access to an AWS account, potentially through compromised credentials or misconfigured IAM roles.
  2. The attacker identifies S3 buckets containing sensitive data.
  3. The attacker discovers KMS keys with permissions to encrypt data in the target S3 buckets.
  4. The attacker uses the KMS keys to encrypt existing objects in the S3 bucket or encrypts new objects as they are uploaded.
  5. The encryption operation is logged in AWS CloudTrail.
  6. A detection rule identifies the user utilizing KMS keys for S3 encryption based on CloudTrail logs.
  7. Security analysts investigate the activity to determine if it is legitimate or malicious.

Impact

Successful unauthorized encryption of S3 buckets using KMS keys can lead to data unavailability, data breaches, and compliance violations. A malicious actor could encrypt data and demand ransom for decryption keys, or they could encrypt data to hide their activities or disrupt services. The number of affected buckets and the sensitivity of the data they contain will determine the scope of the impact. Failure to detect and respond to this type of activity can result in significant financial losses, reputational damage, and legal consequences.

Recommendation

  • Implement the Sigma rule Detect AWS KMS Key User Performing S3 Encryption to identify users with KMS keys performing encryption operations on S3 buckets based on CloudTrail logs.
  • Enable AWS CloudTrail logging for all regions in your AWS environment to ensure comprehensive monitoring of API activity.
  • Regularly review IAM policies and KMS key policies to ensure that permissions are appropriately restricted.
  • Investigate any alerts generated by the Sigma rule to determine the legitimacy of the encryption activity.

Detection coverage 2

Detect AWS KMS Key User Performing S3 Encryption

medium

Detects AWS users who possess KMS keys and are performing encryption operations on S3 buckets.

sigma tactics: impact techniques: T1489 sources: cloudtrail, aws

Detect AWS KMS Key Usage for S3 Encryption Changes

medium

Detects changes to S3 bucket encryption configurations using KMS keys.

sigma tactics: impact techniques: T1489 sources: cloudtrail, aws

Detection queries are available on the platform. Get full rules →