Techniques
Sample rules
AWS Detect Users with KMS keys performing encryption S3
- source: splunk
- technicques:
- T1486
Description
The following analytic identifies users with KMS keys performing encryption operations on S3 buckets. It leverages AWS CloudTrail logs to detect the CopyObject event where server-side encryption with AWS KMS is specified. This activity is significant as it may indicate unauthorized or suspicious encryption of data, potentially masking exfiltration or tampering efforts. If confirmed malicious, an attacker could be encrypting sensitive data to evade detection or preparing it for exfiltration, posing a significant risk to data integrity and confidentiality.
Detection logic
`cloudtrail` eventName=CopyObject requestParameters.x-amz-server-side-encryption="aws:kms"
| rename requestParameters.bucketName AS bucketName, requestParameters.x-amz-copy-source AS src_file, requestParameters.key AS dest_file
| stats count min(_time) as firstTime max(_time) as lastTime values(bucketName) as bucketName values(src_file) AS src_file values(dest_file) AS dest_file values(userAgent) AS userAgent values(region) AS region values(src) AS src by user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_detect_users_with_kms_keys_performing_encryption_s3_filter`