Elastic Security Detection Rules

AWS S3 Object Encryption Using External KMS Key

Last updated 6 days ago on 2025-12-02
Created a year ago on 2024-07-02

About

Identifies use of the S3 CopyObject API where the destination object is encrypted using an AWS KMS key from an external AWS account. This behavior may indicate ransomware-style impact activity where an adversary with access to a misconfigured S3 bucket encrypts objects using a KMS key they control, preventing the bucket owner from decrypting their own data. This technique is a critical early signal of destructive intent or cross-account misuse.
Tags
Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS S3Data Source: AWS KMSUse Case: Threat DetectionTactic: ImpactLanguage: esql
Severity
medium
Risk Score
47
MITRE ATT&CK™

Impact (TA0040)(opens in a new tab or window)

Data Encrypted for Impact (T1486)(opens in a new tab or window)

False Positive Examples
Cross-account KMS key usage may be legitimate in multi-account AWS Organizations architectures where centralized encryption keys are used for data governance or auditing workflows. Confirm whether the external KMS key belongs to an expected account before taking action. Data migration or cross-account backup workflows may legitimately re-encrypt S3 objects using a key in another account. Ensure these workflows are documented, tied to known IAM roles, and occur on predictable schedules.
License
Elastic License v2(opens in a new tab or window)

Definition

Integration Pack
Prebuilt Security Detection Rules
Related Integrations

aws(opens in a new tab or window)

Query
from logs-aws.cloudtrail-* metadata _id, _version, _index

// any successful S3 copy event
| where
  event.dataset == "aws.cloudtrail"
  and event.provider == "s3.amazonaws.com"
  and event.action == "CopyObject"
  and event.outcome == "success"

// dissect request parameters to extract KMS key info and target object info
| dissect aws.cloudtrail.request_parameters
    "{%{?bucketName}=%{Esql.aws_cloudtrail_request_parameters_target_bucket_name},%{?x-amz-server-side-encryption-aws-kms-key-id}=%{?arn}:%{?aws}:%{?kms}:%{?region}:%{Esql.aws_cloudtrail_request_parameters_kms_key_account_id}:%{?key}/%{Esql.aws_cloudtrail_request_parameters_kms_key_id},%{?Host}=%{?tls.client.server.name},%{?x-amz-server-side-encryption}=%{?server_side_encryption},%{?x-amz-copy-source}=%{?bucket.object.name},%{?key}=%{Esql.aws_cloudtrail_request_parameters_target_object_key}}"

// detect cross-account key usage
| where cloud.account.id != Esql.aws_cloudtrail_request_parameters_kms_key_account_id

// keep ECS and dissected fields
| keep
  @timestamp,
  data_stream.namespace,
  user.name,
  user_agent.original,
  source.ip,
  aws.cloudtrail.user_identity.arn,
  aws.cloudtrail.user_identity.type,
  aws.cloudtrail.user_identity.access_key_id,
  aws.cloudtrail.resources.arn,
  aws.cloudtrail.resources.type,
  event.action,
  event.outcome,
  cloud.account.id,
  cloud.region,
  aws.cloudtrail.request_parameters,
  aws.cloudtrail.response_elements,
  Esql.aws_cloudtrail_request_parameters_target_bucket_name,
  Esql.aws_cloudtrail_request_parameters_target_object_key,
  Esql.aws_cloudtrail_request_parameters_kms_key_account_id,
  Esql.aws_cloudtrail_request_parameters_kms_key_id

Install detection rules in Elastic Security

Detect AWS S3 Object Encryption Using External KMS Key in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).