AWS S3 Object Encryption Using External KMS Key

  1[metadata]
  2creation_date = "2024/07/02"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/12/09"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies use of the S3 CopyObject API where the destination object is encrypted using an AWS KMS key from an external
 11AWS account. This behavior may indicate ransomware-style impact activity where an adversary with access to a
 12misconfigured S3 bucket encrypts objects using a KMS key they control, preventing the bucket owner from decrypting their
 13own data. This technique is a critical early signal of destructive intent or cross-account misuse.
 14"""
 15false_positives = [
 16    """
 17    Cross-account KMS key usage may be legitimate in multi-account AWS Organizations architectures where centralized
 18    encryption keys are used for data governance or auditing workflows. Confirm whether the external KMS key belongs to
 19    an expected account before taking action. Data migration or cross-account backup workflows may legitimately
 20    re-encrypt S3 objects using a key in another account. Ensure these workflows are documented, tied to known IAM
 21    roles, and occur on predictable schedules.
 22    """,
 23]
 24from = "now-6m"
 25language = "esql"
 26license = "Elastic License v2"
 27name = "AWS S3 Object Encryption Using External KMS Key"
 28note = """## Triage and analysis
 29
 30> **Disclaimer**:
 31> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. 
 32> While every effort has been made to ensure its quality, validate and adapt it to suit your operational needs.
 33
 34### Investigating AWS S3 Object Encryption Using External KMS Key
 35
 36This rule detects when an S3 `CopyObject` operation encrypts an object using a KMS key belonging to a different AWS account than the bucket owner. This behavior is unusual and a strong indicator of:
 37
 38- Cloud ransomware techniques, where adversaries encrypt data using a key only they control.
 39- Cross-account privilege misuse, especially when an unauthorized principal has write access to S3.
 40- Misconfigured bucket permissions, enabling principals from another account to perform privileged copy operations.
 41- Early impact-stage activity in incidents where attackers prepare to destroy availability or deny the owner access.
 42
 43The rule uses ESQL to identify cases where the `cloud.account.id` (bucket owner) differs from the dissected `kms_key_account_id` used for encrypting the new object version.
 44
 45
 46#### Possible investigation steps
 47
 48**Identify the actor and access pathway**
 49- Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id`.
 50- Check whether the caller is:
 51  - A legitimate cross-account automation role,  
 52  - A compromised IAM user or workload identity, or  
 53  - A federated identity behaving outside of normal patterns.
 54- Inspect `user_agent.original` to determine whether the action came from the AWS Console, CLI, SDK, or unusual tooling.
 55
 56**Analyze the encryption behavior**
 57- Inspect the dissected KMS key fields:
 58  - `Esql.aws_cloudtrail_request_parameters_kms_key_account_id`
 59  - `Esql.aws_cloudtrail_request_parameters_kms_key_id`
 60- Confirm whether the external key:
 61  - Belongs to an attacker-controlled account,  
 62  - Is unknown to your organization, or  
 63  - Lives in a shared or security tooling account.
 64
 65**Assess the objects affected**
 66- Review:
 67  - `Esql.aws_cloudtrail_request_parameters_target_bucket_name`
 68  - `Esql.aws_cloudtrail_request_parameters_target_object_key`
 69- Identify:
 70  - Whether objects were overwritten or new encrypted copies were created.
 71  - The sensitivity or criticality of the affected data.
 72  - Whether object versioning is enabled (important for recovery).
 73
 74**Correlate surrounding access patterns**
 75Pivot in CloudTrail on:
 76- The same access key ID  
 77- The same IAM principal  
 78- Affected bucket ARN  
 79
 80Look for:
 81- `DeleteObject` or `DeleteObjects` calls (common in ransomware behavior)
 82- Mass enumeration prior to the event (`ListObjectsV2`, `GetObject`)
 83- Other impact-stage actions (`PutBucketPolicy`, `PutBucketAcl`, disabling logging)
 84- Attempts to encrypt additional objects in rapid succession
 85
 86**Evaluate bucket permissions and exposure**
 87Review:
 88- S3 bucket policy changes
 89- IAM roles with `s3:PutObject` or `s3:PutObjectAcl` permissions
 90- Whether unintended cross-account `Principal` entries exist
 91- Whether the KMS key policy explicitly trusts your account or a foreign one
 92
 93**Validate business justification**
 94- Confirm with storage, data engineering, or application teams whether:
 95  - Any migration, transformation, or backup workflows should be encrypting objects cross-account.
 96  - Scheduled jobs or CI/CD pipelines were operating at the time of the event.
 97
 98### False positive analysis
 99
100- **Expected cross-account encryption**  
101  Many organizations use centralized encryption accounts or shared security accounts. Validate:
102  - Whether the KMS key account is part of your AWS Organization
103  - Whether the workflow, role, or application is documented
104  - Whether the principal routinely performs CopyObject operations
105
106### Response and remediation
107
108**Contain and prevent further impact**
109- Immediately restrict S3 write access for the principal involved.
110- If the KMS key is attacker-controlled, the impacted objects may be unrecoverable without versioning.
111- If object versioning is disabled, enable it on the affected bucket to strengthen future resilience.
112
113**Investigate scope and severity**
114- Identify:
115  - Additional objects encrypted using external keys
116  - Related suspicious actions (delete, modify, exfiltration events)
117  - Whether any ransom markers or unauthorized files were uploaded
118- Validate whether the external KMS key grants *decrypt* permission back to the bucket owner (rare in attacker use).
119
120**Recover and secure the bucket**
121- Restore accessible previous versions if versioning is enabled.
122- Revoke unauthorized access key pairs or session credentials.
123- Audit bucket policies, ACLs, and IAM conditions (`aws:PrincipalArn`, `aws:SourceAccount`, `aws:SourceArn`).
124- Tighten cross-account access controls:
125  - Remove unintended `Principal` clauses
126  - Restrict KMS usage to known accounts
127  - Enforce SCPs that block cross-account KMS use unless explicitly approved
128
129**Long-term hardening**
130- Integrate object-level access logging and S3 server access logging into security monitoring.
131- Add AWS Config rules (or Security Hub controls) detecting:
132  - Public buckets
133  - Cross-account access to S3
134  - KMS policies permitting foreign principals
135- Document required cross-account workflows and add explicit allowlists.
136
137### Additional information
138
139- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** 
140- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** 
141- **Security Best Practices:** [AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/).
142"""
143references = [
144    "https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html/",
145    "https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html/",
146    "https://www.gem.security/post/cloud-ransomware-a-new-take-on-an-old-attack-pattern/",
147    "https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/",
148]
149risk_score = 47
150rule_id = "ab8f074c-5565-4bc4-991c-d49770e19fc9"
151setup = "AWS S3 data event types need to be enabled in the CloudTrail trail configuration for CopyObject events."
152severity = "medium"
153tags = [
154    "Domain: Cloud",
155    "Data Source: AWS",
156    "Data Source: Amazon Web Services",
157    "Data Source: AWS S3",
158    "Data Source: AWS KMS",
159    "Use Case: Threat Detection",
160    "Tactic: Impact",
161    "Resources: Investigation Guide",
162]
163timestamp_override = "event.ingested"
164type = "esql"
165
166query = '''
167from logs-aws.cloudtrail-* metadata _id, _version, _index
168
169// any successful S3 copy event
170| where
171  event.dataset == "aws.cloudtrail"
172  and event.provider == "s3.amazonaws.com"
173  and event.action == "CopyObject"
174  and event.outcome == "success"
175
176// dissect request parameters to extract KMS key info and target object info
177| dissect aws.cloudtrail.request_parameters
178    "{%{?bucketName}=%{Esql.aws_cloudtrail_request_parameters_target_bucket_name},%{?x-amz-server-side-encryption-aws-kms-key-id}=%{?arn}:%{?aws}:%{?kms}:%{?region}:%{Esql.aws_cloudtrail_request_parameters_kms_key_account_id}:%{?key}/%{Esql.aws_cloudtrail_request_parameters_kms_key_id},%{?Host}=%{?tls.client.server.name},%{?x-amz-server-side-encryption}=%{?server_side_encryption},%{?x-amz-copy-source}=%{?bucket.object.name},%{?key}=%{Esql.aws_cloudtrail_request_parameters_target_object_key}}"
179
180// detect cross-account key usage
181| where cloud.account.id != Esql.aws_cloudtrail_request_parameters_kms_key_account_id
182
183// keep ECS and dissected fields
184| keep
185  @timestamp,
186  data_stream.namespace,
187  user.name,
188  user_agent.original,
189  source.ip,
190  aws.cloudtrail.user_identity.arn,
191  aws.cloudtrail.user_identity.type,
192  aws.cloudtrail.user_identity.access_key_id,
193  aws.cloudtrail.resources.arn,
194  aws.cloudtrail.resources.type,
195  event.action,
196  event.outcome,
197  cloud.account.id,
198  cloud.region,
199  aws.cloudtrail.request_parameters,
200  aws.cloudtrail.response_elements,
201  Esql.aws_cloudtrail_request_parameters_target_bucket_name,
202  Esql.aws_cloudtrail_request_parameters_target_object_key,
203  Esql.aws_cloudtrail_request_parameters_kms_key_account_id,
204  Esql.aws_cloudtrail_request_parameters_kms_key_id,
205  _id,
206  _version,
207  _index
208'''
209
210
211[[rule.threat]]
212framework = "MITRE ATT&CK"
213[[rule.threat.technique]]
214id = "T1486"
215name = "Data Encrypted for Impact"
216reference = "https://attack.mitre.org/techniques/T1486/"
217
218
219[rule.threat.tactic]
220id = "TA0040"
221name = "Impact"
222reference = "https://attack.mitre.org/tactics/TA0040/"
223
224[rule.investigation_fields]
225field_names = [
226    "@timestamp",
227    "user.name",
228    "user_agent.original",
229    "source.ip",
230    "aws.cloudtrail.user_identity.arn",
231    "aws.cloudtrail.user_identity.type",
232    "aws.cloudtrail.user_identity.access_key_id",
233    "aws.cloudtrail.resources.arn",
234    "aws.cloudtrail.resources.type",
235    "event.action",
236    "event.outcome",
237    "cloud.account.id",
238    "cloud.region",
239    "aws.cloudtrail.request_parameters",
240    "aws.cloudtrail.response_elements",
241    "Esql.aws_cloudtrail_request_parameters_target_bucket_name",
242    "Esql.aws_cloudtrail_request_parameters_target_object_key",
243    "Esql.aws_cloudtrail_request_parameters_kms_key_account_id",
244    "Esql.aws_cloudtrail_request_parameters_kms_key_id",
245]