AWS KMS Key Creation with Public Encryption Policy
An attacker may create AWS KMS keys with a permissive encryption policy, granting `kms:Encrypt` permissions to all principals, potentially leading to unauthorized encryption and data compromise across multiple organizations.
This analytic identifies the creation of AWS Key Management Service (KMS) keys configured with an encryption policy that grants broad access, including potentially external entities. The activity is detected by monitoring AWS CloudTrail logs ingested via Amazon Security Lake for CreateKey and PutKeyPolicy events. Specifically, the rule flags instances where the kms:Encrypt action is permitted for all principals ("*"). This misconfiguration can indicate a compromised AWS account, which could then be leveraged to misuse the encryption key, potentially targeting other organizations and their data. Successful exploitation allows an attacker to encrypt data, leading to operational disruptions and data breaches, especially if the key is used across multiple organizations.
Attack Chain
- The attacker compromises an AWS account, possibly through credential theft or a vulnerability in an application running within the environment.
- The attacker uses the compromised AWS credentials to authenticate to the AWS Management Console or via the AWS CLI/API.
- The attacker issues a
CreateKeyAPI call to create a new KMS key using the AWS KMS service. - The attacker issues a
PutKeyPolicyAPI call to set the encryption policy for the newly created KMS key. - The attacker configures the KMS key policy to grant
kms:Encryptpermissions to all principals, effectively making the key publicly usable for encryption operations. - The attacker (or another entity) uses the publicly accessible KMS key to encrypt data, potentially rendering it inaccessible to legitimate users.
- The attacker leverages the unauthorized encryption to disrupt services, extort victims, or cause reputational damage.
Impact
Successful exploitation of this misconfiguration can lead to unauthorized data encryption, potentially disrupting operations and compromising sensitive information across multiple entities. The broad encryption policy allows any principal, including malicious actors, to encrypt data using the KMS key. This can result in data unavailability, extortion attempts, and significant reputational damage. A single compromised key can affect numerous organizations if the key is accessible and used across those entities, increasing the scope and severity of the impact.
Recommendation
- Deploy the Sigma rule
Detect AWS KMS Key Creation with Public Encryption Policyto your SIEM and tune for your environment to identify KMS key creation with broad encryption permissions based on Amazon Security Lake logs. - Investigate any alerts generated by the Sigma rule by examining the
api.request.datafield in the CloudTrail logs for suspicious principal configurations. - Review and remediate any existing KMS keys with overly permissive encryption policies, restricting access to only authorized principals.
- Implement multi-factor authentication (MFA) for all AWS accounts to reduce the risk of account compromise and unauthorized key creation.
- Monitor CloudTrail logs for suspicious API calls related to KMS key management, such as
CreateKey,PutKeyPolicy, andEncryptoperations using theamazon_security_lakedata source.
Detection coverage 2
Detect AWS KMS Key Creation with Public Encryption Policy
highDetects the creation of AWS KMS keys with an encryption policy granting kms:Encrypt permission to all principals, indicating a potential misconfiguration or compromise.
Detect AWS KMS Key Policy Modification with Broad Permissions
mediumDetects modifications to KMS key policies that grant broad permissions, including kms:Encrypt, to all principals, potentially indicating a misconfiguration or compromise.
Detection queries are available on the platform. Get full rules →