from logs-aws.cloudtrail-* metadata _id, _version, _index
// any successful S3 copy event
| where
event.dataset == "aws.cloudtrail"
and event.provider == "s3.amazonaws.com"
and event.action == "CopyObject"
and event.outcome == "success"
// dissect request parameters to extract KMS key info and target object info
| dissect aws.cloudtrail.request_parameters
"{%{?bucketName}=%{Esql.aws_cloudtrail_request_parameters_target_bucket_name},%{?x-amz-server-side-encryption-aws-kms-key-id}=%{?arn}:%{?aws}:%{?kms}:%{?region}:%{Esql.aws_cloudtrail_request_parameters_kms_key_account_id}:%{?key}/%{Esql.aws_cloudtrail_request_parameters_kms_key_id},%{?Host}=%{?tls.client.server.name},%{?x-amz-server-side-encryption}=%{?server_side_encryption},%{?x-amz-copy-source}=%{?bucket.object.name},%{?key}=%{Esql.aws_cloudtrail_request_parameters_target_object_key}}"
// detect cross-account key usage
| where cloud.account.id != Esql.aws_cloudtrail_request_parameters_kms_key_account_id
// keep ECS and dissected fields
| keep
@timestamp,
aws.cloudtrail.user_identity.arn,
cloud.account.id,
event.action,
Esql.aws_cloudtrail_request_parameters_target_bucket_name,
Esql.aws_cloudtrail_request_parameters_kms_key_account_id,
Esql.aws_cloudtrail_request_parameters_kms_key_id,
Esql.aws_cloudtrail_request_parameters_target_object_key
Install detection rules in Elastic Security
Detect AWS S3 Object Encryption Using External KMS Key in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).