administrators within an aws organization structure may legitimately encrypt bucket objects with a key from an account different from the target bucket. ensure that this behavior is not part of a legitimate operation before taking action.

Techniques

T1486

Sample rules

AWS S3 Object Encryption Using External KMS Key

source: elastic
technicques:
- T1486

Description

Identifies CopyObject events within an S3 bucket using an AWS KMS key from an external account for encryption. Adversaries with access to a misconfigured S3 bucket and the proper permissions may encrypt objects with an external KMS key to deny their victims access to their own data.

Detection logic

from logs-aws.cloudtrail-* metadata _id, _version, _index

// any successful copy event
| where event.dataset == "aws.cloudtrail"
    and event.provider == "s3.amazonaws.com"
    and event.action == "CopyObject"
    and event.outcome == "success"

// abstract key account id, key id, encrypted object bucket name and object name
| dissect aws.cloudtrail.request_parameters "{%{?bucketName}=%{target.bucketName},%{?x-amz-server-side-encryption-aws-kms-key-id}=%{?arn}:%{?aws}:%{?kms}:%{?region}:%{key.account.id}:%{?key}/%{keyId},%{?Host}=%{?tls.client.server_name},%{?x-amz-server-side-encryption}=%{?server-side-encryption},%{?x-amz-copy-source}=%{?bucket.objectName},%{?key}=%{target.objectName}}"

// filter for s3 objects whose account id is different from the encryption key's account id
// add exceptions based on key.account.id or keyId for known external accounts or encryption keys
| where cloud.account.id != key.account.id

// keep relevant fields
| keep @timestamp, aws.cloudtrail.user_identity.arn, cloud.account.id, event.action, target.bucketName, key.account.id, keyId, target.objectName