AWS KMS Key Policy Updated via PutKeyPolicy

  1[metadata]
  2creation_date = "2026/04/08"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/04/08"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies successful PutKeyPolicy calls on AWS KMS keys. The key policy is a resource-based policy that controls which
 11principals can use the key for cryptographic operations and administration. Adversaries with "kms:PutKeyPolicy" may add
 12or broaden principals (including external accounts) to decrypt or exfiltrate data protected by the key, or to preserve
 13access after other credentials are rotated. This is distinct from disabling or scheduling deletion of the key.
 14"""
 15false_positives = [
 16    """
 17    Security, platform, and encryption teams legitimately update KMS key policies during onboarding, key rotation, or
 18    cross-account access design. Review the policy document diff, ticketing, and whether new principals are in-org.
 19    """,
 20]
 21from = "now-6m"
 22index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 23language = "kuery"
 24license = "Elastic License v2"
 25name = "AWS KMS Key Policy Updated via PutKeyPolicy"
 26note = """## Triage and analysis
 27
 28### Investigating AWS KMS Key Policy Updated via PutKeyPolicy
 29
 30`PutKeyPolicy` replaces the entire key policy for a customer managed KMS key (and is used in limited scenarios for AWS
 31managed keys). Unexpected changes can grant `kms:Decrypt`, `kms:GenerateDataKey`, or administrative actions to new
 32identities.
 33
 34#### Possible investigation steps
 35
 36- Identify the key from `aws.cloudtrail.resources.arn` or `aws.cloudtrail.request_parameters.keyId`.
 37- Inspect `policy` in `aws.cloudtrail.request_parameters` (or related fields) for new `Principal`, `AWS`, or
 38  `kms:CallerAccount` entries and cross-account ARNs.
 39- Determine which data stores use the key (S3, EBS, RDS, Secrets Manager, etc.) via CMK aliases or CMDB.
 40- Correlate with `iam:AttachRolePolicy`, `sts:AssumeRole`, or data-plane access from newly added principals.
 41
 42### False positive analysis
 43
 44- Planned multi-account encryption patterns; confirm recipient accounts are approved.
 45
 46### Response and remediation
 47
 48- If unauthorized: restore a known-good policy from backup or IAM/KMS change history, remove rogue principals, and
 49  restrict `kms:PutKeyPolicy` to break-glass roles.
 50
 51### Additional information
 52
 53- [PutKeyPolicy](https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html)
 54- [KMS key policies](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html)
 55"""
 56references = [
 57    "https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html",
 58    "https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html",
 59]
 60risk_score = 47
 61rule_id = "f6a0b2c3-4d5e-4f7a-8b9c-0d1e2f3a4b5c"
 62severity = "medium"
 63tags = [
 64    "Domain: Cloud",
 65    "Data Source: AWS",
 66    "Data Source: Amazon Web Services",
 67    "Data Source: AWS KMS",
 68    "Use Case: Threat Detection",
 69    "Tactic: Defense Evasion",
 70    "Tactic: Privilege Escalation",
 71    "Resources: Investigation Guide",
 72]
 73timestamp_override = "event.ingested"
 74type = "query"
 75
 76query = '''
 77event.dataset: "aws.cloudtrail"
 78    and event.provider: "kms.amazonaws.com"
 79    and event.action: "PutKeyPolicy"
 80    and event.outcome: "success"
 81    and not aws.cloudtrail.user_identity.type: "AWSService"
 82'''
 83
 84[rule.investigation_fields]
 85field_names = [
 86    "@timestamp",
 87    "user.name",
 88    "user_agent.original",
 89    "source.ip",
 90    "aws.cloudtrail.user_identity.arn",
 91    "aws.cloudtrail.user_identity.type",
 92    "aws.cloudtrail.user_identity.access_key_id",
 93    "aws.cloudtrail.resources.arn",
 94    "aws.cloudtrail.resources.type",
 95    "event.action",
 96    "event.outcome",
 97    "cloud.account.id",
 98    "cloud.region",
 99    "aws.cloudtrail.request_parameters",
100    "aws.cloudtrail.response_elements",
101]
102
103
104[[rule.threat]]
105framework = "MITRE ATT&CK"
106
107[[rule.threat.technique]]
108id = "T1548"
109name = "Abuse Elevation Control Mechanism"
110reference = "https://attack.mitre.org/techniques/T1548/"
111
112[[rule.threat.technique.subtechnique]]
113id = "T1548.005"
114name = "Temporary Elevated Cloud Access"
115reference = "https://attack.mitre.org/techniques/T1548/005/"
116
117[rule.threat.tactic]
118id = "TA0004"
119name = "Privilege Escalation"
120reference = "https://attack.mitre.org/tactics/TA0004/"
121
122[[rule.threat]]
123framework = "MITRE ATT&CK"
124
125[[rule.threat.technique]]
126id = "T1562"
127name = "Impair Defenses"
128reference = "https://attack.mitre.org/techniques/T1562/"
129
130[rule.threat.tactic]
131id = "TA0005"
132name = "Defense Evasion"
133reference = "https://attack.mitre.org/tactics/TA0005/"