AWS KMS Key Policy Updated via PutKeyPolicy

edit

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

AWS KMS Key Policy Updated via PutKeyPolicy

edit

Identifies successful PutKeyPolicy calls on AWS KMS keys. The key policy is a resource-based policy that controls which principals can use the key for cryptographic operations and administration. Adversaries with "kms:PutKeyPolicy" may add or broaden principals (including external accounts) to decrypt or exfiltrate data protected by the key, or to preserve access after other credentials are rotated. This is distinct from disabling or scheduling deletion of the key.

Rule type: query

Rule indices:

filebeat-*
logs-aws.cloudtrail-*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS KMS
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Privilege Escalation
Resources: Investigation Guide

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating AWS KMS Key Policy Updated via PutKeyPolicy

PutKeyPolicy replaces the entire key policy for a customer managed KMS key (and is used in limited scenarios for AWS managed keys). Unexpected changes can grant kms:Decrypt, kms:GenerateDataKey, or administrative actions to new identities.

Possible investigation steps

Identify the key from aws.cloudtrail.resources.arn or aws.cloudtrail.request_parameters.keyId.
Inspect policy in aws.cloudtrail.request_parameters (or related fields) for new Principal, AWS, or kms:CallerAccount entries and cross-account ARNs.
Determine which data stores use the key (S3, EBS, RDS, Secrets Manager, etc.) via CMK aliases or CMDB.
Correlate with iam:AttachRolePolicy, sts:AssumeRole, or data-plane access from newly added principals.

False positive analysis

Planned multi-account encryption patterns; confirm recipient accounts are approved.

Response and remediation

If unauthorized: restore a known-good policy from backup or IAM/KMS change history, remove rogue principals, and restrict kms:PutKeyPolicy to break-glass roles.

Additional information

Rule query

edit

event.dataset: "aws.cloudtrail"
    and event.provider: "kms.amazonaws.com"
    and event.action: "PutKeyPolicy"
    and event.outcome: "success"
    and not aws.cloudtrail.user_identity.type: "AWSService"

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
Technique:
- Name: Abuse Elevation Control Mechanism
- ID: T1548
- Reference URL: https://attack.mitre.org/techniques/T1548/
Sub-technique:
- Name: Temporary Elevated Cloud Access
- ID: T1548.005
- Reference URL: https://attack.mitre.org/techniques/T1548/005/
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: Impair Defenses
- ID: T1562
- Reference URL: https://attack.mitre.org/techniques/T1562/

« AWS IAM Sensitive Operations via Lambda Execution Role AWS STS GetFederationToken with AdministratorAccess in Request »