AWS S3 Object Encryption Using External KMS Key

  1[metadata]
  2creation_date = "2024/07/02"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/01/16"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies use of the S3 CopyObject API where the destination object is encrypted using an AWS KMS key from an external
 11AWS account. This behavior may indicate ransomware-style impact activity where an adversary with access to a
 12misconfigured S3 bucket encrypts objects using a KMS key they control, preventing the bucket owner from decrypting their
 13own data. This technique is a critical early signal of destructive intent or cross-account misuse.
 14"""
 15false_positives = [
 16    """
 17    Cross-account KMS key usage may be legitimate in multi-account AWS Organizations architectures where centralized
 18    encryption keys are used for data governance or auditing workflows. Confirm whether the external KMS key belongs to
 19    an expected account before taking action. Data migration or cross-account backup workflows may legitimately
 20    re-encrypt S3 objects using a key in another account. Ensure these workflows are documented, tied to known IAM
 21    roles, and occur on predictable schedules.
 22    """,
 23]
 24from = "now-6m"
 25language = "esql"
 26license = "Elastic License v2"
 27name = "AWS S3 Object Encryption Using External KMS Key"
 28note = """## Triage and analysis
 29
 30### Investigating AWS S3 Object Encryption Using External KMS Key
 31
 32This rule detects when an S3 `CopyObject` operation encrypts an object using a KMS key belonging to a different AWS account than the bucket owner. This behavior is unusual and a strong indicator of:
 33
 34- Cloud ransomware techniques, where adversaries encrypt data using a key only they control.
 35- Cross-account privilege misuse, especially when an unauthorized principal has write access to S3.
 36- Misconfigured bucket permissions, enabling principals from another account to perform privileged copy operations.
 37- Early impact-stage activity in incidents where attackers prepare to destroy availability or deny the owner access.
 38
 39The rule uses ESQL to identify cases where the `cloud.account.id` (bucket owner) differs from the dissected `kms_key_account_id` used for encrypting the new object version.
 40
 41
 42#### Possible investigation steps
 43
 44**Identify the actor and access pathway**
 45- Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id`.
 46- Check whether the caller is:
 47  - A legitimate cross-account automation role,  
 48  - A compromised IAM user or workload identity, or  
 49  - A federated identity behaving outside of normal patterns.
 50- Inspect `user_agent.original` to determine whether the action came from the AWS Console, CLI, SDK, or unusual tooling.
 51
 52**Analyze the encryption behavior**
 53- Inspect the dissected KMS key fields:
 54  - `Esql.aws_cloudtrail_request_parameters_kms_key_account_id`
 55  - `Esql.aws_cloudtrail_request_parameters_kms_key_id`
 56- Confirm whether the external key:
 57  - Belongs to an attacker-controlled account,  
 58  - Is unknown to your organization, or  
 59  - Lives in a shared or security tooling account.
 60
 61**Assess the objects affected**
 62- Review:
 63  - `Esql.aws_cloudtrail_request_parameters_target_bucket_name`
 64  - `Esql.aws_cloudtrail_request_parameters_target_object_key`
 65- Identify:
 66  - Whether objects were overwritten or new encrypted copies were created.
 67  - The sensitivity or criticality of the affected data.
 68  - Whether object versioning is enabled (important for recovery).
 69
 70**Correlate surrounding access patterns**
 71Pivot in CloudTrail on:
 72- The same access key ID  
 73- The same IAM principal  
 74- Affected bucket ARN  
 75
 76Look for:
 77- `DeleteObject` or `DeleteObjects` calls (common in ransomware behavior)
 78- Mass enumeration prior to the event (`ListObjectsV2`, `GetObject`)
 79- Other impact-stage actions (`PutBucketPolicy`, `PutBucketAcl`, disabling logging)
 80- Attempts to encrypt additional objects in rapid succession
 81
 82**Evaluate bucket permissions and exposure**
 83Review:
 84- S3 bucket policy changes
 85- IAM roles with `s3:PutObject` or `s3:PutObjectAcl` permissions
 86- Whether unintended cross-account `Principal` entries exist
 87- Whether the KMS key policy explicitly trusts your account or a foreign one
 88
 89**Validate business justification**
 90- Confirm with storage, data engineering, or application teams whether:
 91  - Any migration, transformation, or backup workflows should be encrypting objects cross-account.
 92  - Scheduled jobs or CI/CD pipelines were operating at the time of the event.
 93
 94### False positive analysis
 95
 96- **Expected cross-account encryption**  
 97  Many organizations use centralized encryption accounts or shared security accounts. Validate:
 98  - Whether the KMS key account is part of your AWS Organization
 99  - Whether the workflow, role, or application is documented
100  - Whether the principal routinely performs CopyObject operations
101
102### Response and remediation
103
104**Contain and prevent further impact**
105- Immediately restrict S3 write access for the principal involved.
106- If the KMS key is attacker-controlled, the impacted objects may be unrecoverable without versioning.
107- If object versioning is disabled, enable it on the affected bucket to strengthen future resilience.
108
109**Investigate scope and severity**
110- Identify:
111  - Additional objects encrypted using external keys
112  - Related suspicious actions (delete, modify, exfiltration events)
113  - Whether any ransom markers or unauthorized files were uploaded
114- Validate whether the external KMS key grants *decrypt* permission back to the bucket owner (rare in attacker use).
115
116**Recover and secure the bucket**
117- Restore accessible previous versions if versioning is enabled.
118- Revoke unauthorized access key pairs or session credentials.
119- Audit bucket policies, ACLs, and IAM conditions (`aws:PrincipalArn`, `aws:SourceAccount`, `aws:SourceArn`).
120- Tighten cross-account access controls:
121  - Remove unintended `Principal` clauses
122  - Restrict KMS usage to known accounts
123  - Enforce SCPs that block cross-account KMS use unless explicitly approved
124
125**Long-term hardening**
126- Integrate object-level access logging and S3 server access logging into security monitoring.
127- Add AWS Config rules (or Security Hub controls) detecting:
128  - Public buckets
129  - Cross-account access to S3
130  - KMS policies permitting foreign principals
131- Document required cross-account workflows and add explicit allowlists.
132
133### Additional information
134
135- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** 
136- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** 
137- **Security Best Practices:** [AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/).
138"""
139references = [
140    "https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html/",
141    "https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html/",
142    "https://www.gem.security/post/cloud-ransomware-a-new-take-on-an-old-attack-pattern/",
143    "https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/",
144]
145risk_score = 47
146rule_id = "ab8f074c-5565-4bc4-991c-d49770e19fc9"
147setup = "AWS S3 data event types need to be enabled in the CloudTrail trail configuration for CopyObject events."
148severity = "medium"
149tags = [
150    "Domain: Cloud",
151    "Data Source: AWS",
152    "Data Source: Amazon Web Services",
153    "Data Source: AWS S3",
154    "Data Source: AWS KMS",
155    "Use Case: Threat Detection",
156    "Tactic: Impact",
157    "Resources: Investigation Guide",
158]
159timestamp_override = "event.ingested"
160type = "esql"
161
162query = '''
163from logs-aws.cloudtrail-* metadata _id, _version, _index
164
165// any successful S3 copy event
166| where
167  event.dataset == "aws.cloudtrail"
168  and event.provider == "s3.amazonaws.com"
169  and event.action == "CopyObject"
170  and event.outcome == "success"
171
172// dissect request parameters to extract KMS key info and target object info
173| dissect aws.cloudtrail.request_parameters
174    "{%{?bucketName}=%{Esql.aws_cloudtrail_request_parameters_target_bucket_name},%{?x-amz-server-side-encryption-aws-kms-key-id}=%{?arn}:%{?aws}:%{?kms}:%{?region}:%{Esql.aws_cloudtrail_request_parameters_kms_key_account_id}:%{?key}/%{Esql.aws_cloudtrail_request_parameters_kms_key_id},%{?Host}=%{?tls.client.server.name},%{?x-amz-server-side-encryption}=%{?server_side_encryption},%{?x-amz-copy-source}=%{?bucket.object.name},%{?key}=%{Esql.aws_cloudtrail_request_parameters_target_object_key}}"
175
176// detect cross-account key usage
177| where cloud.account.id != Esql.aws_cloudtrail_request_parameters_kms_key_account_id
178
179// keep ECS and dissected fields
180| keep
181  @timestamp,
182  data_stream.namespace,
183  user.name,
184  user_agent.original,
185  source.ip,
186  aws.cloudtrail.user_identity.arn,
187  aws.cloudtrail.user_identity.type,
188  aws.cloudtrail.user_identity.access_key_id,
189  aws.cloudtrail.resources.arn,
190  aws.cloudtrail.resources.type,
191  event.action,
192  event.outcome,
193  cloud.account.id,
194  cloud.region,
195  aws.cloudtrail.request_parameters,
196  aws.cloudtrail.response_elements,
197  Esql.aws_cloudtrail_request_parameters_target_bucket_name,
198  Esql.aws_cloudtrail_request_parameters_target_object_key,
199  Esql.aws_cloudtrail_request_parameters_kms_key_account_id,
200  Esql.aws_cloudtrail_request_parameters_kms_key_id,
201  _id,
202  _version,
203  _index
204'''
205
206
207[[rule.threat]]
208framework = "MITRE ATT&CK"
209[[rule.threat.technique]]
210id = "T1486"
211name = "Data Encrypted for Impact"
212reference = "https://attack.mitre.org/techniques/T1486/"
213
214
215[rule.threat.tactic]
216id = "TA0040"
217name = "Impact"
218reference = "https://attack.mitre.org/tactics/TA0040/"
219
220[rule.investigation_fields]
221field_names = [
222    "@timestamp",
223    "user.name",
224    "user_agent.original",
225    "source.ip",
226    "aws.cloudtrail.user_identity.arn",
227    "aws.cloudtrail.user_identity.type",
228    "aws.cloudtrail.user_identity.access_key_id",
229    "aws.cloudtrail.resources.arn",
230    "aws.cloudtrail.resources.type",
231    "event.action",
232    "event.outcome",
233    "cloud.account.id",
234    "cloud.region",
235    "aws.cloudtrail.request_parameters",
236    "aws.cloudtrail.response_elements",
237    "Esql.aws_cloudtrail_request_parameters_target_bucket_name",
238    "Esql.aws_cloudtrail_request_parameters_target_object_key",
239    "Esql.aws_cloudtrail_request_parameters_kms_key_account_id",
240    "Esql.aws_cloudtrail_request_parameters_kms_key_id",
241]