{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/aws-kms/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS KMS"],"_cs_severities":["medium"],"_cs_tags":["cloud","aws","kms","data-destruction","ransomware"],"_cs_type":"advisory","_cs_vendors":["Amazon Web Services"],"content_html":"\u003cp\u003eThis brief details a critical technique used by adversaries to achieve immediate and irreversible data destruction or to facilitate cloud ransomware within AWS environments. Adversaries exploit the \u003ccode\u003eDeleteImportedKeyMaterial\u003c/code\u003e API call against AWS Key Management Service (KMS) customer managed keys (CMKs) that use external key material (Bring Your Own Key - BYOK). Unlike standard key deletion processes which include a mandatory pending period, this action instantly renders the affected key unusable. Consequently, all data previously encrypted with this CMK becomes immediately inaccessible, with no built-in recovery window, presenting a significant threat to data availability and integrity. This technique is particularly dangerous due to its instant effect and potential for unrecoverable data loss if the original key material is not securely retained or an attacker withholds it.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise\u003c/strong\u003e: An adversary gains unauthorized access to an AWS account, often through compromised credentials, exposed API keys, or exploitation of a vulnerable service.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance \u0026amp; Privilege Escalation\u003c/strong\u003e: The adversary identifies AWS KMS keys with imported key material (BYOK) and elevates privileges to perform KMS actions, specifically \u003ccode\u003ekms:DeleteImportedKeyMaterial\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eKey Identification\u003c/strong\u003e: The adversary identifies critical CMKs protecting sensitive data or essential services that are reliant on imported key material.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMaterial Deletion\u003c/strong\u003e: The adversary executes the \u003ccode\u003ekms:DeleteImportedKeyMaterial\u003c/code\u003e API call against targeted BYOK CMKs.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Inaccessibility\u003c/strong\u003e: The deletion immediately revokes access to the cryptographic key material, rendering all data encrypted by these CMKs instantly inaccessible.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact/Extortion\u003c/strong\u003e: The adversary either performs data destruction for sabotage purposes or demands a ransom for the re-importation of key material (if the attacker controls the material or a copy).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of the \u003ccode\u003eDeleteImportedKeyMaterial\u003c/code\u003e action results in immediate and potentially unrecoverable data loss across all services and data encrypted by the targeted AWS KMS customer managed key. This impact is instant, bypassing the standard grace period associated with \u003ccode\u003eScheduleKeyDeletion\u003c/code\u003e. Organizations can face severe operational disruption, financial losses due to data inaccessibility, and potentially irrecoverable data if the original key material is not securely backed up or if the attacker withholds it during a ransomware scenario. The technique is used for both pure data destruction (sabotage) and cloud-specific ransomware campaigns, targeting the foundational security mechanism of cloud data protection.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable AWS CloudTrail management events for KMS actions and ensure ingestion into your SIEM to collect relevant \u003ccode\u003eaws.cloudtrail\u003c/code\u003e logs.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;AWS KMS Imported Key Material Deleted\u0026quot; in this brief to detect \u003ccode\u003ekms:DeleteImportedKeyMaterial\u003c/code\u003e calls.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts by examining \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e, \u003ccode\u003eaws.cloudtrail.user_identity.access_key_id\u003c/code\u003e, \u003ccode\u003eaws.cloudtrail.user_identity.type\u003c/code\u003e, \u003ccode\u003esource.ip\u003c/code\u003e, and \u003ccode\u003euser_agent.original\u003c/code\u003e fields in the generated \u003ccode\u003eaws.cloudtrail\u003c/code\u003e logs for unexpected activity.\u003c/li\u003e\n\u003cli\u003eRestrict \u003ccode\u003ekms:DeleteImportedKeyMaterial\u003c/code\u003e and \u003ccode\u003ekms:ImportKeyMaterial\u003c/code\u003e permissions to a minimal set of trusted administrative roles using IAM policies and AWS Organizations Service Control Policies (SCPs).\u003c/li\u003e\n\u003cli\u003eMaintain secure, offline backups of all imported key material (BYOK) to ensure recoverability in case of unauthorized deletion.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T15:57:06Z","date_published":"2026-07-03T15:57:06Z","id":"https://feed.craftedsignal.io/briefs/2026-07-aws-kms-imported-key-material-deleted/","summary":"Adversaries leverage the `DeleteImportedKeyMaterial` API call against AWS KMS customer managed keys (CMKs) with external material, instantly rendering encrypted data inaccessible with no recovery window, facilitating cloud ransomware or data destruction attacks.","title":"AWS KMS Imported Key Material Deleted","url":"https://feed.craftedsignal.io/briefs/2026-07-aws-kms-imported-key-material-deleted/"}],"language":"en","title":"CraftedSignal Threat Feed - AWS KMS","version":"https://jsonfeed.org/version/1.1"}