This detection rule identifies suspicious `CopyObject` events in Amazon S3 buckets where an external AWS KMS (Key Management Service) key is used for encryption. The rule aims to uncover activities by adversaries who may exploit a misconfigured S3 bucket to encrypt objects with a KMS key from a different AWS account, potentially denying rightful access to the data. The rule uses Elasticsearch Query Language (EQL) to filter CloudTrail logs for instances where the target bucket's AWS account ID differs from the KMS key's account ID used in the encryption process. Notably, legitimate administrative actions may also encompass similar encryptions; thus, the rule emphasizes comprehensive investigation procedures and offers guidance to differentiate between potential threats and false positives based on user behavior, timestamp analysis, and additional AWS activity correlatives.