AWS KMS Imported Key Material Usage
Detects the import or deletion of key material in AWS KMS, which can be used as part of ransomware attacks. This activity is uncommon and provides a high certainty signal.
Sigma rule (View on GitHub)
1title: AWS KMS Imported Key Material Usage
2id: 1279262f-1464-422f-ac0d-5b545320c526
3status: experimental
4description: |
5 Detects the import or deletion of key material in AWS KMS, which can be used as part of ransomware attacks. This activity is uncommon and provides a high certainty signal.
6references:
7 - https://www.chrisfarris.com/post/effective-aws-ransomware/
8 - https://docs.aws.amazon.com/kms/latest/developerguide/ct-importkeymaterial.html
9 - https://docs.aws.amazon.com/kms/latest/developerguide/ct-deleteimportedkeymaterial.html
10author: toopricey
11date: 2025-10-18
12tags:
13 - attack.impact
14 - attack.t1486
15 - attack.resource-development
16 - attack.t1608.003
17logsource:
18 product: aws
19 service: cloudtrail
20detection:
21 selection:
22 eventSource: 'kms.amazonaws.com'
23 eventName:
24 - 'ImportKeyMaterial'
25 - 'DeleteImportedKeyMaterial'
26 condition: selection
27falsepositives:
28 - Legitimate use cases for imported key material are rare, but may include, Organizations with hybrid cloud architectures that import external key material for compliance requirements.
29 - Development or testing environments that simulate external key management scenarios. Even in these cases, such activity is typically infrequent and should not add significant noise.
30level: high
References
-
-
Contains an example of a log entry for the operation that imports key material into a KMS key.
Read More -
Related rules
- FunkLocker Ransomware File Creation
- WannaCry Ransomware Activity
- Antivirus Ransomware Detection
- Portable Gpg.EXE Execution
- Load Of RstrtMgr.DLL By A Suspicious Process