{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/aws-key-management-service/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS Identity and Access Management","AWS Key Management Service","Amazon S3"],"_cs_severities":["medium"],"_cs_tags":["aws","kms","s3","cloud","encryption"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis detection focuses on identifying AWS Identity and Access Management (IAM) users who are actively utilizing Key Management Service (KMS) keys to encrypt data within Simple Storage Service (S3) buckets. While not inherently malicious, such activity warrants monitoring as it could signify insider threats, compromised accounts, or unauthorized data handling procedures. Attackers might leverage stolen credentials or compromised IAM roles to encrypt data using KMS, potentially as a precursor to data exfiltration or ransomware-like activity targeting cloud storage. This activity should be considered especially concerning if the KMS keys being used are outside the user's normal operational scope.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an AWS account, either through compromised credentials or exploiting a misconfigured IAM role.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates available S3 buckets and identifies a target bucket containing sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies or creates a KMS key within the AWS environment.\u003c/li\u003e\n\u003cli\u003eThe attacker configures the target S3 bucket to use the identified KMS key for encryption of objects stored within it.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads or modifies objects within the S3 bucket, triggering encryption using the KMS key.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to exfiltrate the encrypted data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation could lead to unauthorized access to sensitive data stored within S3 buckets. Depending on the nature of the data, this could result in financial losses, reputational damage, and legal repercussions. Furthermore, if the attacker controls the KMS key, they could render the data inaccessible, effectively holding it hostage. The impact can vary based on the scope of the compromised data and the attacker's objectives, potentially affecting customer data, intellectual property, or critical business information.\u003c/p\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-aws-kms-s3-encryption/","summary":"Detection of AWS users employing KMS keys for S3 encryption, potentially indicating suspicious data handling within cloud environments.","title":"AWS KMS Key User Performing S3 Encryption","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-kms-s3-encryption/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS Key Management Service"],"_cs_severities":["high"],"_cs_tags":["aws","kms","encryption","misconfiguration","ransomware"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis analytic identifies the creation of AWS Key Management Service (KMS) keys configured with an encryption policy that grants broad access, including potentially external entities. The activity is detected by monitoring AWS CloudTrail logs ingested via Amazon Security Lake for \u003ccode\u003eCreateKey\u003c/code\u003e and \u003ccode\u003ePutKeyPolicy\u003c/code\u003e events. Specifically, the rule flags instances where the \u003ccode\u003ekms:Encrypt\u003c/code\u003e action is permitted for all principals (\u0026quot;*\u0026quot;). This misconfiguration can indicate a compromised AWS account, which could then be leveraged to misuse the encryption key, potentially targeting other organizations and their data. Successful exploitation allows an attacker to encrypt data, leading to operational disruptions and data breaches, especially if the key is used across multiple organizations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker compromises an AWS account, possibly through credential theft or a vulnerability in an application running within the environment.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised AWS credentials to authenticate to the AWS Management Console or via the AWS CLI/API.\u003c/li\u003e\n\u003cli\u003eThe attacker issues a \u003ccode\u003eCreateKey\u003c/code\u003e API call to create a new KMS key using the AWS KMS service.\u003c/li\u003e\n\u003cli\u003eThe attacker issues a \u003ccode\u003ePutKeyPolicy\u003c/code\u003e API call to set the encryption policy for the newly created KMS key.\u003c/li\u003e\n\u003cli\u003eThe attacker configures the KMS key policy to grant \u003ccode\u003ekms:Encrypt\u003c/code\u003e permissions to all principals, effectively making the key publicly usable for encryption operations.\u003c/li\u003e\n\u003cli\u003eThe attacker (or another entity) uses the publicly accessible KMS key to encrypt data, potentially rendering it inaccessible to legitimate users.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the unauthorized encryption to disrupt services, extort victims, or cause reputational damage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this misconfiguration can lead to unauthorized data encryption, potentially disrupting operations and compromising sensitive information across multiple entities. The broad encryption policy allows any principal, including malicious actors, to encrypt data using the KMS key. This can result in data unavailability, extortion attempts, and significant reputational damage. A single compromised key can affect numerous organizations if the key is accessible and used across those entities, increasing the scope and severity of the impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect AWS KMS Key Creation with Public Encryption Policy\u003c/code\u003e to your SIEM and tune for your environment to identify KMS key creation with broad encryption permissions based on Amazon Security Lake logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the \u003ccode\u003eapi.request.data\u003c/code\u003e field in the CloudTrail logs for suspicious principal configurations.\u003c/li\u003e\n\u003cli\u003eReview and remediate any existing KMS keys with overly permissive encryption policies, restricting access to only authorized principals.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all AWS accounts to reduce the risk of account compromise and unauthorized key creation.\u003c/li\u003e\n\u003cli\u003eMonitor CloudTrail logs for suspicious API calls related to KMS key management, such as \u003ccode\u003eCreateKey\u003c/code\u003e, \u003ccode\u003ePutKeyPolicy\u003c/code\u003e, and \u003ccode\u003eEncrypt\u003c/code\u003e operations using the \u003ccode\u003eamazon_security_lake\u003c/code\u003e data source.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-aws-kms-key-creation/","summary":"An attacker may create AWS KMS keys with a permissive encryption policy, granting `kms:Encrypt` permissions to all principals, potentially leading to unauthorized encryption and data compromise across multiple organizations.","title":"AWS KMS Key Creation with Public Encryption Policy","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-kms-key-creation/"}],"language":"en","title":"CraftedSignal Threat Feed - AWS Key Management Service","version":"https://jsonfeed.org/version/1.1"}