This detection rule identifies potentially malicious activities related to AWS Key Management Service (KMS) where users create encryption keys accessible to all principals without implementing Multi-Factor Authentication (MFA). By analyzing AWS CloudTrail logs via Amazon Security Lake, it focuses on `CreateKey` and `PutKeyPolicy` events that grant the `kms:Encrypt` action to `*` (all principals). Such actions could indicate a compromised AWS account, allowing unauthorized encryption of data that may disrupt operations or jeopardize sensitive information across multiple parties. The detection leverages the flexibility of AWS CloudTrail logs, ensuring that any creations or policy changes that bypass security protocols are flagged for investigation.