heroui logo

AWS Detect Users with KMS keys performing encryption S3

Splunk Security Content

View Source
Summary
This detection rule identifies potentially unauthorized use of AWS Key Management Service (KMS) keys for encrypting data in S3 buckets, leveraging CloudTrail logs to monitor for `CopyObject` events specifically involving server-side encryption with KMS. Such activities could indicate attempts to secure data from unauthorized access and potentially mask exfiltration efforts or tampering. The rule analyzes the actions by users, encapsulating details like timestamp and user agent, thereby enabling security teams to assess risk and respond to suspicious encryption activities. By alerting on these operations, it aims to safeguard data integrity and confidentiality against deliberate wrongdoing.
Categories
  • Cloud
  • AWS
  • Infrastructure
Data Sources
  • Cloud Storage
  • Cloud Service
  • Application Log
ATT&CK Techniques
  • T1486
Created: 2024-11-14