Detection rules › Splunk
AWS Detect Users creating keys with encrypt policy without MFA
The following analytic detects the creation of AWS KMS keys with an encryption policy accessible to everyone, including external entities. It leverages AWS CloudTrail logs to identify CreateKey or PutKeyPolicy events where the kms:Encrypt action is granted to all principals. This activity is significant as it may indicate a compromised account, allowing an attacker to misuse the encryption key to target other organizations. If confirmed malicious, this could lead to unauthorized data encryption, potentially disrupting operations and compromising sensitive information across multiple entities.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Impact | T1486 Data Encrypted for Impact |
Rules detecting the same action
Other rules on this platform that filter on the same API call or operation.
Rule body splunk
name: AWS Detect Users creating keys with encrypt policy without MFA
id: c79c164f-4b21-4847-98f9-cf6a9f49179e
version: 11
creation_date: '2020-10-27'
modification_date: '2026-05-13'
author: Rod Soto, Patrick Bareiss Splunk
status: production
type: TTP
description: The following analytic detects the creation of AWS KMS keys with an encryption policy accessible to everyone, including external entities. It leverages AWS CloudTrail logs to identify `CreateKey` or `PutKeyPolicy` events where the `kms:Encrypt` action is granted to all principals. This activity is significant as it may indicate a compromised account, allowing an attacker to misuse the encryption key to target other organizations. If confirmed malicious, this could lead to unauthorized data encryption, potentially disrupting operations and compromising sensitive information across multiple entities.
data_source:
- AWS CloudTrail CreateKey
- AWS CloudTrail PutKeyPolicy
search: |-
`cloudtrail` eventName=CreateKey OR eventName=PutKeyPolicy
| spath input=requestParameters.policy output=key_policy_statements path=Statement{}
| mvexpand key_policy_statements
| spath input=key_policy_statements output=key_policy_action_1 path=Action
| spath input=key_policy_statements output=key_policy_action_2 path=Action{}
| eval key_policy_action=mvappend(key_policy_action_1,key_policy_action_2)
| spath input=key_policy_statements output=key_policy_principal path=Principal.AWS
| search key_policy_action="kms:Encrypt" AND key_policy_principal="*"
| rename user_name as user
| stats count min(_time) as firstTime max(_time) as lastTime
BY signature dest user
user_agent src vendor_account
vendor_region vendor_product key_policy_action
key_policy_principal
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter`
how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs
known_false_positives: No false positives have been identified at this time.
references:
- https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/
- https://github.com/d1vious/git-wild-hunt
- https://www.youtube.com/watch?v=PgzNib37g0M
drilldown_searches:
- name: View the detection results for - "$user$"
search: '%original_detection_search% | search user = "$user$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: 7d
latest_offset: "0"
finding:
title: AWS account is potentially compromised and user $user$ is trying to compromise other accounts.
entity:
field: user
type: user
score: 50
analytic_story:
- Ransomware Cloud
asset_type: AWS Account
mitre_attack_id:
- T1486
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
category: cloud
security_domain: threat
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/aws_kms_key/aws_cloudtrail_events.json
sourcetype: aws:cloudtrail
source: aws_cloudtrail
test_type: unit
Stages and Predicates
Stage 1: search
`cloudtrail` eventName=CreateKey OR eventName=PutKeyPolicy
Stage 2: spath
| spath input=requestParameters.policy output=key_policy_statements path=Statement{}
Stage 3: mvexpand
| mvexpand key_policy_statements
Stage 4: spath
| spath input=key_policy_statements output=key_policy_action_1 path=Action
Stage 5: spath
| spath input=key_policy_statements output=key_policy_action_2 path=Action{}
Stage 6: eval
| eval key_policy_action=mvappend(key_policy_action_1,key_policy_action_2)
Stage 7: spath
| spath input=key_policy_statements output=key_policy_principal path=Principal.AWS
Stage 8: search
| search key_policy_action="kms:Encrypt" AND key_policy_principal="*"
Stage 9: rename
| rename user_name as user
Stage 10: stats
| stats count min(_time) as firstTime max(_time) as lastTime
BY signature dest user
user_agent src vendor_account
vendor_region vendor_product key_policy_action
key_policy_principal
Stage 11: search
| `security_content_ctime(firstTime)`
Stage 12: search
| `security_content_ctime(lastTime)`
Stage 13: search
| `aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
eventName | eq |
|
key_policy_action | eq |
|
key_policy_principal | eq |
|
sourcetype | eq |
|