security, platform, and encryption teams legitimately update kms key policies during onboarding, key rotation, or cross-account access design. review the policy document diff, ticketing, and whether new principals are in-org.

t1548
T1562
aws
elastic

Techniques

T1548
T1562

Sample rules

AWS KMS Key Policy Updated via PutKeyPolicy

source: elastic
technicques:
- T1548
- T1562

Description

Identifies successful PutKeyPolicy calls on AWS KMS keys. The key policy is a resource-based policy that controls which principals can use the key for cryptographic operations and administration. Adversaries with “kms:PutKeyPolicy” may add or broaden principals (including external accounts) to decrypt or exfiltrate data protected by the key, or to preserve access after other credentials are rotated. This is distinct from disabling or scheduling deletion of the key.

Detection logic

event.dataset: "aws.cloudtrail"
    and event.provider: "kms.amazonaws.com"
    and event.action: "PutKeyPolicy"
    and event.outcome: "success"
    and not aws.cloudtrail.user_identity.type: "AWSService"