Techniques
Sample rules
AWS Detect Users with KMS keys performing encryption S3
- source: splunk
- technicques:
- T1486
Description
This search provides detection of users with KMS keys performing encryption specifically against S3 buckets.
Detection logic
`cloudtrail` eventName=CopyObject requestParameters.x-amz-server-side-encryption="aws:kms"
| rename requestParameters.bucketName AS bucketName, requestParameters.x-amz-copy-source AS src_file, requestParameters.key AS dest_file
| stats count min(_time) as firstTime max(_time) as lastTime values(bucketName) as bucketName values(src_file) AS src_file values(dest_file) AS dest_file values(userAgent) AS userAgent values(region) AS region values(src) AS src by user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_detect_users_with_kms_keys_performing_encryption_s3_filter`