Skip to content
Threat Feed
high advisory

AWS KMS Key Creation with Public Encryption Policy

An attacker may create AWS KMS keys with a permissive encryption policy, granting `kms:Encrypt` permissions to all principals, potentially leading to unauthorized encryption and data compromise across multiple organizations.

This analytic identifies the creation of AWS Key Management Service (KMS) keys configured with an encryption policy that grants broad access, including potentially external entities. The activity is detected by monitoring AWS CloudTrail logs ingested via Amazon Security Lake for CreateKey and PutKeyPolicy events. Specifically, the rule flags instances where the kms:Encrypt action is permitted for all principals ("*"). This misconfiguration can indicate a compromised AWS account, which could then be leveraged to misuse the encryption key, potentially targeting other organizations and their data. Successful exploitation allows an attacker to encrypt data, leading to operational disruptions and data breaches, especially if the key is used across multiple organizations.

Attack Chain

  1. The attacker compromises an AWS account, possibly through credential theft or a vulnerability in an application running within the environment.
  2. The attacker uses the compromised AWS credentials to authenticate to the AWS Management Console or via the AWS CLI/API.
  3. The attacker issues a CreateKey API call to create a new KMS key using the AWS KMS service.
  4. The attacker issues a PutKeyPolicy API call to set the encryption policy for the newly created KMS key.
  5. The attacker configures the KMS key policy to grant kms:Encrypt permissions to all principals, effectively making the key publicly usable for encryption operations.
  6. The attacker (or another entity) uses the publicly accessible KMS key to encrypt data, potentially rendering it inaccessible to legitimate users.
  7. The attacker leverages the unauthorized encryption to disrupt services, extort victims, or cause reputational damage.

Impact

Successful exploitation of this misconfiguration can lead to unauthorized data encryption, potentially disrupting operations and compromising sensitive information across multiple entities. The broad encryption policy allows any principal, including malicious actors, to encrypt data using the KMS key. This can result in data unavailability, extortion attempts, and significant reputational damage. A single compromised key can affect numerous organizations if the key is accessible and used across those entities, increasing the scope and severity of the impact.

Recommendation

  • Deploy the Sigma rule Detect AWS KMS Key Creation with Public Encryption Policy to your SIEM and tune for your environment to identify KMS key creation with broad encryption permissions based on Amazon Security Lake logs.
  • Investigate any alerts generated by the Sigma rule by examining the api.request.data field in the CloudTrail logs for suspicious principal configurations.
  • Review and remediate any existing KMS keys with overly permissive encryption policies, restricting access to only authorized principals.
  • Implement multi-factor authentication (MFA) for all AWS accounts to reduce the risk of account compromise and unauthorized key creation.
  • Monitor CloudTrail logs for suspicious API calls related to KMS key management, such as CreateKey, PutKeyPolicy, and Encrypt operations using the amazon_security_lake data source.

Detection coverage 2

Detect AWS KMS Key Creation with Public Encryption Policy

high

Detects the creation of AWS KMS keys with an encryption policy granting kms:Encrypt permission to all principals, indicating a potential misconfiguration or compromise.

sigma tactics: impact techniques: T1486 sources: cloudtrail, aws

Detect AWS KMS Key Policy Modification with Broad Permissions

medium

Detects modifications to KMS key policies that grant broad permissions, including kms:Encrypt, to all principals, potentially indicating a misconfiguration or compromise.

sigma tactics: impact techniques: T1486 sources: cloudtrail, aws

Detection queries are available on the platform. Get full rules →