This rule detects successful PutKeyPolicy calls on AWS KMS keys by inspecting CloudTrail events. It triggers when event.dataset is aws.cloudtrail, event.provider is kms.amazonaws.com, event.action is PutKeyPolicy, and event.outcome is success, excluding AWSService principals. PutKeyPolicy replaces the entire key policy, which can grant decrypt or administrative permissions to new principals, potentially enabling data exfiltration or persistence after credential rotation. The detection is mapped to MITRE ATT&CK: T1548.005 Temporary Elevated Cloud Access (Privilege Escalation) and T1562 (Impair Defenses). Investigation focuses on identifying the affected key (via aws.cloudtrail.resources.arn or aws.cloudtrail.request_parameters.keyId) and reviewing the updated policy for new Principal/AWS entries or cross-account ARNs; correlate with related privileges such as iam:AttachRolePolicy or sts:AssumeRole and assess data stores using the key (via CMK aliases or CMDB). Cross-reference with data-plane access from newly added principals. False positives include legitimate onboarding, key rotation, or cross-account access design; validate policy diffs and approvals. Remediation involves restoring a known-good policy, removing rogue principals, and restricting kms:PutKeyPolicy to break-glass roles. Additional context includes references to PutKeyPolicy and KMS key policies.