<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>AWS Key Management Service (KMS) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/aws-key-management-service-kms/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/aws-key-management-service-kms/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS KMS Key User Performing S3 Encryption Detection</title><link>https://feed.craftedsignal.io/briefs/2024-01-09-aws-kms-s3-encryption/</link><pubDate>Tue, 09 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-09-aws-kms-s3-encryption/</guid><description>Detection of AWS users utilizing KMS keys to perform encryption operations on S3 buckets, indicating potential misuse or malicious activity within the cloud environment.</description><content:encoded><![CDATA[<p>This brief focuses on detecting potentially malicious or unauthorized use of AWS Key Management Service (KMS) keys to encrypt data stored in Simple Storage Service (S3) buckets. The detection logic is based on identifying AWS CloudTrail logs indicating encryption operations performed by users who possess KMS keys. While the provided source material does not specify a particular threat actor or campaign, the ability to monitor and detect such activity is crucial for identifying insider threats, compromised accounts, or misconfigured permissions that could lead to data breaches or unauthorized access. This detection capability is a part of the Splunk Enterprise Security Content Update (ESCU) project and allows security teams to quickly identify potentially suspicious activity in their AWS environments.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains unauthorized access to an AWS account, potentially through compromised credentials or misconfigured IAM roles.</li>
<li>The attacker identifies S3 buckets containing sensitive data.</li>
<li>The attacker discovers KMS keys with permissions to encrypt data in the target S3 buckets.</li>
<li>The attacker uses the KMS keys to encrypt existing objects in the S3 bucket or encrypts new objects as they are uploaded.</li>
<li>The encryption operation is logged in AWS CloudTrail.</li>
<li>A detection rule identifies the user utilizing KMS keys for S3 encryption based on CloudTrail logs.</li>
<li>Security analysts investigate the activity to determine if it is legitimate or malicious.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful unauthorized encryption of S3 buckets using KMS keys can lead to data unavailability, data breaches, and compliance violations. A malicious actor could encrypt data and demand ransom for decryption keys, or they could encrypt data to hide their activities or disrupt services. The number of affected buckets and the sensitivity of the data they contain will determine the scope of the impact. Failure to detect and respond to this type of activity can result in significant financial losses, reputational damage, and legal consequences.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Implement the Sigma rule <code>Detect AWS KMS Key User Performing S3 Encryption</code> to identify users with KMS keys performing encryption operations on S3 buckets based on CloudTrail logs.</li>
<li>Enable AWS CloudTrail logging for all regions in your AWS environment to ensure comprehensive monitoring of API activity.</li>
<li>Regularly review IAM policies and KMS key policies to ensure that permissions are appropriately restricted.</li>
<li>Investigate any alerts generated by the Sigma rule to determine the legitimacy of the encryption activity.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>kms</category><category>s3</category><category>encryption</category></item><item><title>AWS KMS Customer Managed Key Disabled or Scheduled for Deletion</title><link>https://feed.craftedsignal.io/briefs/2024-01-aws-kms-deletion/</link><pubDate>Wed, 03 Jan 2024 15:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-aws-kms-deletion/</guid><description>An adversary may disable or schedule the deletion of an AWS customer-managed KMS Key to cause irreversible data loss, disrupt business operations, impede incident response, or hide evidence of prior activity.</description><content:encoded><![CDATA[<p>AWS KMS keys are critical for encryption across various AWS services like S3, EBS, and RDS. Disabling or scheduling a KMS key for deletion disrupts encryption and decryption workflows, potentially rendering data unrecoverable. The Elastic detection rule published on 2026-04-10 identifies attempts to disable or schedule the deletion of an AWS customer-managed KMS Key. These actions are typically rare, privileged, and tightly controlled, making unexpected instances high-risk. Adversaries might target KMS keys to sabotage recovery, impede forensic analysis, or destroy evidence. Defenders should prioritize monitoring KMS key lifecycle changes due to their potential for significant impact on data availability and business operations.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains unauthorized access to an AWS account.</li>
<li>The attacker escalates privileges to obtain the necessary KMS permissions.</li>
<li>The attacker uses the AWS CLI or API to execute the <code>DisableKey</code> command, specifying the ARN of the target KMS key.</li>
<li>Alternatively, the attacker uses the AWS CLI or API to execute the <code>ScheduleKeyDeletion</code> command, specifying the ARN of the target KMS key and a pending window in days.</li>
<li>CloudTrail logs the <code>DisableKey</code> or <code>ScheduleKeyDeletion</code> event with a status of &quot;success&quot;.</li>
<li>If <code>DisableKey</code> was used, dependent services immediately begin failing or experience decryption errors.</li>
<li>If <code>ScheduleKeyDeletion</code> was used, the key enters a pending deletion state for the specified number of days.</li>
<li>Upon deletion, all data encrypted with the key becomes unrecoverable, leading to data loss and disruption of services.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Disabling or deleting KMS keys can have severe consequences, potentially impacting numerous AWS services relying on the key for encryption, including S3, EBS, RDS, Secrets Manager, and Lambda. This can lead to data unavailability, service disruptions, and irreversible data loss. The scope of impact depends on the criticality of the data protected by the key and the number of services affected. Successful execution of this attack can impede incident response efforts and result in significant financial and reputational damage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the &quot;AWS KMS Customer Managed Key Disabled or Scheduled for Deletion&quot; Sigma rule to detect unauthorized KMS key lifecycle changes (rule.name).</li>
<li>Monitor AWS CloudTrail logs for <code>DisableKey</code> and <code>ScheduleKeyDeletion</code> events to detect potentially malicious activity (index).</li>
<li>Restrict AWS KMS lifecycle permissions (<code>kms:DisableKey</code>, <code>kms:ScheduleKeyDeletion</code>) to a minimal set of privileged users and roles (references).</li>
<li>Implement multi-factor authentication (MFA) for administrators with KMS key management permissions to prevent unauthorized access (Security Best Practices reference).</li>
<li>Enable AWS Config rules for KMS key state monitoring to continuously assess the configuration of KMS keys and detect deviations from desired states (Security Best Practices reference).</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>kms</category><category>datadestruction</category></item></channel></rss>