This detection rule identifies when an AWS S3 object is copied using a KMS encryption key that belongs to a different AWS account than that of the S3 bucket owner. This scenario is often associated with ransomware attacks where malicious actors use their own encryption keys to lock the victim out of their data, leading to potential ransom situations or irreversible data loss. By monitoring AWS CloudTrail logs for relevant CopyObject events, the rule enables users to track and validate cross-account key usage, which could indicate malicious intent. The rule outlines steps in a runbook for investigating such occurrences by querying relevant CloudTrail logs, verifying account ID ownership of KMS keys, and assessing the potential reconnaissance done by the attacker prior to the CopyObject action.