AWS KMS Key Policy Updated via PutKeyPolicy

Identifies successful PutKeyPolicy calls on AWS KMS keys. The key policy is a resource-based policy that controls which principals can use the key for cryptographic operations and administration. Adversaries with "kms:PutKeyPolicy" may add or broaden principals (including external accounts) to decrypt or exfiltrate data protected by the key, or to preserve access after other credentials are rotated. This is distinct from disabling or scheduling deletion of the key.

Rule type: query
Rule indices:

• filebeat-*
• logs-aws.cloudtrail-*

Rule Severity: medium
Risk Score: 47
Runs every:
Searches indices from: now-6m
Maximum alerts per execution: 100
References:

• https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html
• https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html

Tags:

• Domain: Cloud
• Data Source: AWS
• Data Source: Amazon Web Services
• Data Source: AWS KMS
• Use Case: Threat Detection
• Tactic: Defense Evasion
• Tactic: Privilege Escalation
• Resources: Investigation Guide

Version: 1
Rule authors:

• Elastic

Rule license: Elastic License v2

PutKeyPolicy replaces the entire key policy for a customer managed KMS key (and is used in limited scenarios for AWS managed keys). Unexpected changes can grant kms:Decrypt, kms:GenerateDataKey, or administrative actions to new identities.

• Identify the key from aws.cloudtrail.resources.arn or aws.cloudtrail.request_parameters.keyId.
• Inspect policy in aws.cloudtrail.request_parameters (or related fields) for new Principal, AWS, or kms:CallerAccount entries and cross-account ARNs.
• Determine which data stores use the key (S3, EBS, RDS, Secrets Manager, etc.) via CMK aliases or CMDB.
• Correlate with iam:AttachRolePolicy, sts:AssumeRole, or data-plane access from newly added principals.

• Planned multi-account encryption patterns; confirm recipient accounts are approved.

• If unauthorized: restore a known-good policy from backup or IAM/KMS change history, remove rogue principals, and restrict kms:PutKeyPolicy to break-glass roles.

• PutKeyPolicy
• KMS key policies

event.dataset: "aws.cloudtrail"
    and event.provider: "kms.amazonaws.com"
    and event.action: "PutKeyPolicy"
    and event.outcome: "success"
    and not aws.cloudtrail.user_identity.type: "AWSService"
		

Framework: MITRE ATT&CK

• Tactic:

  • Name: Privilege Escalation
  • Id: TA0004
  • Reference URL: https://attack.mitre.org/tactics/TA0004/

• Technique:

  • Name: Abuse Elevation Control Mechanism
  • Id: T1548
  • Reference URL: https://attack.mitre.org/techniques/T1548/

• Sub Technique:

  • Name: Temporary Elevated Cloud Access
  • Id: T1548.005
  • Reference URL: https://attack.mitre.org/techniques/T1548/005/

Framework: MITRE ATT&CK

• Tactic:

  • Name: Defense Evasion
  • Id: TA0005
  • Reference URL: https://attack.mitre.org/tactics/TA0005/

• Technique:

  • Name: Impair Defenses
  • Id: T1562
  • Reference URL: https://attack.mitre.org/techniques/T1562/