{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/kms/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["KMS"],"_cs_severities":["medium"],"_cs_tags":["cloud","aws","kms","privilege-escalation","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThis rule detects the successful execution of the \u003ccode\u003ePutKeyPolicy\u003c/code\u003e API call within Amazon Web Services Key Management Service (AWS KMS). The \u003ccode\u003ePutKeyPolicy\u003c/code\u003e action replaces the entire key policy associated with a KMS key, potentially granting new or expanded permissions to principals. An adversary who gains the ability to modify KMS key policies (\u003ccode\u003ekms:PutKeyPolicy\u003c/code\u003e) can escalate privileges by adding external accounts or roles, allowing them to decrypt data protected by the key or maintain persistent access even after credential rotation. This activity is crucial to monitor, as it can lead to significant data breaches and unauthorized access to sensitive information. The rule focuses on identifying deviations from expected KMS key policy management practices to detect potentially malicious activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises an AWS account or obtains IAM credentials with sufficient permissions, including \u003ccode\u003ekms:PutKeyPolicy\u003c/code\u003e on a target KMS key.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised credentials to call the \u003ccode\u003ePutKeyPolicy\u003c/code\u003e API, replacing the existing key policy with a modified version.\u003c/li\u003e\n\u003cli\u003eThe modified key policy grants the attacker\u0026rsquo;s AWS account, or an external account, permissions to perform cryptographic operations on the key, such as \u003ccode\u003ekms:Decrypt\u003c/code\u003e or \u003ccode\u003ekms:GenerateDataKey\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker utilizes the newly granted permissions to decrypt data encrypted with the KMS key, such as data stored in S3 buckets or EBS volumes.\u003c/li\u003e\n\u003cli\u003eThe attacker may also grant administrative actions to new identities.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the decrypted data to an external location.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to cover their tracks by deleting CloudTrail logs or modifying other security configurations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive data encrypted with the KMS key, potentially resulting in data breaches, financial loss, and reputational damage. The severity depends on the sensitivity of the data protected by the key and the scope of access granted to the attacker. This can impact organizations across various sectors that rely on AWS KMS for data encryption, potentially affecting millions of records and causing significant operational disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;AWS KMS Key Policy Updated via PutKeyPolicy\u0026rdquo; to your SIEM and tune for your environment to detect unauthorized modifications to KMS key policies.\u003c/li\u003e\n\u003cli\u003eReview the policy document diff in \u003ccode\u003eaws.cloudtrail.request_parameters\u003c/code\u003e and \u003ccode\u003eaws.cloudtrail.response_elements\u003c/code\u003e to identify unauthorized changes to principals.\u003c/li\u003e\n\u003cli\u003eRestrict the \u003ccode\u003ekms:PutKeyPolicy\u003c/code\u003e permission to break-glass roles only, limiting the potential for unauthorized modifications.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003eiam:AttachRolePolicy\u003c/code\u003e and \u003ccode\u003ests:AssumeRole\u003c/code\u003e events to correlate with potential privilege escalation attempts related to KMS key access.\u003c/li\u003e\n\u003cli\u003eRestore a known-good KMS policy from backup or IAM/KMS change history to remediate unauthorized modifications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-22T18:23:00Z","date_published":"2024-01-22T18:23:00Z","id":"/briefs/2024-01-aws-kms-key-policy-put/","summary":"Detection of successful PutKeyPolicy calls on AWS KMS keys to identify potential privilege escalation or unauthorized access by adversaries modifying key policies to decrypt or exfiltrate data.","title":"AWS KMS Key Policy Updated via PutKeyPolicy","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-kms-key-policy-put/"}],"language":"en","title":"CraftedSignal Threat Feed — Kms","version":"https://jsonfeed.org/version/1.1"}