AWS KMS Key User Performing S3 Encryption
Detection of AWS users employing KMS keys for S3 encryption, potentially indicating suspicious data handling within cloud environments.
This detection focuses on identifying AWS Identity and Access Management (IAM) users who are actively utilizing Key Management Service (KMS) keys to encrypt data within Simple Storage Service (S3) buckets. While not inherently malicious, such activity warrants monitoring as it could signify insider threats, compromised accounts, or unauthorized data handling procedures. Attackers might leverage stolen credentials or compromised IAM roles to encrypt data using KMS, potentially as a precursor to data exfiltration or ransomware-like activity targeting cloud storage. This activity should be considered especially concerning if the KMS keys being used are outside the user's normal operational scope.
Attack Chain
- An attacker gains unauthorized access to an AWS account, either through compromised credentials or exploiting a misconfigured IAM role.
- The attacker enumerates available S3 buckets and identifies a target bucket containing sensitive data.
- The attacker identifies or creates a KMS key within the AWS environment.
- The attacker configures the target S3 bucket to use the identified KMS key for encryption of objects stored within it.
- The attacker uploads or modifies objects within the S3 bucket, triggering encryption using the KMS key.
- The attacker attempts to exfiltrate the encrypted data.
Impact
Successful exploitation could lead to unauthorized access to sensitive data stored within S3 buckets. Depending on the nature of the data, this could result in financial losses, reputational damage, and legal repercussions. Furthermore, if the attacker controls the KMS key, they could render the data inaccessible, effectively holding it hostage. The impact can vary based on the scope of the compromised data and the attacker's objectives, potentially affecting customer data, intellectual property, or critical business information.
Detection coverage 2
Detect KMS Key Usage for S3 Encryption
lowDetects IAM users utilizing KMS keys to encrypt S3 objects.
Detect S3 Bucket Encryption Configuration with KMS
mediumDetects changes to S3 bucket encryption configuration to use KMS keys.
Detection queries are available on the platform. Get full rules →