{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/aws-key-management-service-kms/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS Key Management Service (KMS)","Amazon S3","AWS CloudTrail","AWS Identity and Access Management (IAM)"],"_cs_severities":["medium"],"_cs_tags":["cloud","aws","kms","s3","encryption"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis brief focuses on detecting potentially malicious or unauthorized use of AWS Key Management Service (KMS) keys to encrypt data stored in Simple Storage Service (S3) buckets. The detection logic is based on identifying AWS CloudTrail logs indicating encryption operations performed by users who possess KMS keys. While the provided source material does not specify a particular threat actor or campaign, the ability to monitor and detect such activity is crucial for identifying insider threats, compromised accounts, or misconfigured permissions that could lead to data breaches or unauthorized access. This detection capability is a part of the Splunk Enterprise Security Content Update (ESCU) project and allows security teams to quickly identify potentially suspicious activity in their AWS environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an AWS account, potentially through compromised credentials or misconfigured IAM roles.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies S3 buckets containing sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker discovers KMS keys with permissions to encrypt data in the target S3 buckets.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the KMS keys to encrypt existing objects in the S3 bucket or encrypts new objects as they are uploaded.\u003c/li\u003e\n\u003cli\u003eThe encryption operation is logged in AWS CloudTrail.\u003c/li\u003e\n\u003cli\u003eA detection rule identifies the user utilizing KMS keys for S3 encryption based on CloudTrail logs.\u003c/li\u003e\n\u003cli\u003eSecurity analysts investigate the activity to determine if it is legitimate or malicious.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful unauthorized encryption of S3 buckets using KMS keys can lead to data unavailability, data breaches, and compliance violations. A malicious actor could encrypt data and demand ransom for decryption keys, or they could encrypt data to hide their activities or disrupt services. The number of affected buckets and the sensitivity of the data they contain will determine the scope of the impact. Failure to detect and respond to this type of activity can result in significant financial losses, reputational damage, and legal consequences.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect AWS KMS Key User Performing S3 Encryption\u003c/code\u003e to identify users with KMS keys performing encryption operations on S3 buckets based on CloudTrail logs.\u003c/li\u003e\n\u003cli\u003eEnable AWS CloudTrail logging for all regions in your AWS environment to ensure comprehensive monitoring of API activity.\u003c/li\u003e\n\u003cli\u003eRegularly review IAM policies and KMS key policies to ensure that permissions are appropriately restricted.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the legitimacy of the encryption activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-aws-kms-s3-encryption/","summary":"Detection of AWS users utilizing KMS keys to perform encryption operations on S3 buckets, indicating potential misuse or malicious activity within the cloud environment.","title":"AWS KMS Key User Performing S3 Encryption Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-09-aws-kms-s3-encryption/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS Key Management Service (KMS)"],"_cs_severities":["medium"],"_cs_tags":["cloud","aws","kms","datadestruction"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eAWS KMS keys are critical for encryption across various AWS services like S3, EBS, and RDS. Disabling or scheduling a KMS key for deletion disrupts encryption and decryption workflows, potentially rendering data unrecoverable. The Elastic detection rule published on 2026-04-10 identifies attempts to disable or schedule the deletion of an AWS customer-managed KMS Key. These actions are typically rare, privileged, and tightly controlled, making unexpected instances high-risk. Adversaries might target KMS keys to sabotage recovery, impede forensic analysis, or destroy evidence. Defenders should prioritize monitoring KMS key lifecycle changes due to their potential for significant impact on data availability and business operations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an AWS account.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to obtain the necessary KMS permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the AWS CLI or API to execute the \u003ccode\u003eDisableKey\u003c/code\u003e command, specifying the ARN of the target KMS key.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker uses the AWS CLI or API to execute the \u003ccode\u003eScheduleKeyDeletion\u003c/code\u003e command, specifying the ARN of the target KMS key and a pending window in days.\u003c/li\u003e\n\u003cli\u003eCloudTrail logs the \u003ccode\u003eDisableKey\u003c/code\u003e or \u003ccode\u003eScheduleKeyDeletion\u003c/code\u003e event with a status of \u0026quot;success\u0026quot;.\u003c/li\u003e\n\u003cli\u003eIf \u003ccode\u003eDisableKey\u003c/code\u003e was used, dependent services immediately begin failing or experience decryption errors.\u003c/li\u003e\n\u003cli\u003eIf \u003ccode\u003eScheduleKeyDeletion\u003c/code\u003e was used, the key enters a pending deletion state for the specified number of days.\u003c/li\u003e\n\u003cli\u003eUpon deletion, all data encrypted with the key becomes unrecoverable, leading to data loss and disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling or deleting KMS keys can have severe consequences, potentially impacting numerous AWS services relying on the key for encryption, including S3, EBS, RDS, Secrets Manager, and Lambda. This can lead to data unavailability, service disruptions, and irreversible data loss. The scope of impact depends on the criticality of the data protected by the key and the number of services affected. Successful execution of this attack can impede incident response efforts and result in significant financial and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026quot;AWS KMS Customer Managed Key Disabled or Scheduled for Deletion\u0026quot; Sigma rule to detect unauthorized KMS key lifecycle changes (rule.name).\u003c/li\u003e\n\u003cli\u003eMonitor AWS CloudTrail logs for \u003ccode\u003eDisableKey\u003c/code\u003e and \u003ccode\u003eScheduleKeyDeletion\u003c/code\u003e events to detect potentially malicious activity (index).\u003c/li\u003e\n\u003cli\u003eRestrict AWS KMS lifecycle permissions (\u003ccode\u003ekms:DisableKey\u003c/code\u003e, \u003ccode\u003ekms:ScheduleKeyDeletion\u003c/code\u003e) to a minimal set of privileged users and roles (references).\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for administrators with KMS key management permissions to prevent unauthorized access (Security Best Practices reference).\u003c/li\u003e\n\u003cli\u003eEnable AWS Config rules for KMS key state monitoring to continuously assess the configuration of KMS keys and detect deviations from desired states (Security Best Practices reference).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-aws-kms-deletion/","summary":"An adversary may disable or schedule the deletion of an AWS customer-managed KMS Key to cause irreversible data loss, disrupt business operations, impede incident response, or hide evidence of prior activity.","title":"AWS KMS Customer Managed Key Disabled or Scheduled for Deletion","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-kms-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed - AWS Key Management Service (KMS)","version":"https://jsonfeed.org/version/1.1"}