AWS Detect Users creating keys with encrypt policy without MFA

Name:AWS Detect Users creating keys with encrypt policy without MFA
id:c79c164f-4b21-4847-98f9-cf6a9f49179e
version:9
date:2026-03-10
author:Rod Soto, Patrick Bareiss Splunk
status:production
type:TTP
Description:The following analytic detects the creation of AWS KMS keys with an encryption policy accessible to everyone, including external entities. It leverages AWS CloudTrail logs to identify `CreateKey` or `PutKeyPolicy` events where the `kms:Encrypt` action is granted to all principals. This activity is significant as it may indicate a compromised account, allowing an attacker to misuse the encryption key to target other organizations. If confirmed malicious, this could lead to unauthorized data encryption, potentially disrupting operations and compromising sensitive information across multiple entities.
Data_source:

• -AWS CloudTrail CreateKey
• -AWS CloudTrail PutKeyPolicy

search:`cloudtrail` eventName=CreateKey OR eventName=PutKeyPolicy

| spath input=requestParameters.policy output=key_policy_statements path=Statement{}

| mvexpand key_policy_statements

| spath input=key_policy_statements output=key_policy_action_1 path=Action

| spath input=key_policy_statements output=key_policy_action_2 path=Action{}

| eval key_policy_action=mvappend(key_policy_action_1,key_policy_action_2)

| spath input=key_policy_statements output=key_policy_principal path=Principal.AWS

| search key_policy_action="kms:Encrypt" AND key_policy_principal="*"

| rename user_name as user

| stats count min(_time) as firstTime max(_time) as lastTime
BY signature dest user
user_agent src vendor_account
vendor_region vendor_product key_policy_action
key_policy_principal

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter`

how_to_implement:You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs
known_false_positives:No false positives have been identified at this time.
References:
  -https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/
  -https://github.com/d1vious/git-wild-hunt
  -https://www.youtube.com/watch?v=PgzNib37g0M
drilldown_searches:
 name:'View the detection results for - "$user$"'
 search:'%original_detection_search% | search user = "$user$"'
 earliest_offset:'$info_min_time$'
 latest_offset:'$info_max_time$'
 name:'View risk events for the last 7 days for - "$user$"'
 search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
 earliest_offset:'$info_min_time$'
 latest_offset:'$info_max_time$'
tags:
  analytic_story:
    - 'Ransomware Cloud'
  asset_type:AWS Account
  mitre_attack_id:
    - 'T1486'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  security_domain:threat

tests:
 name:'True Positive Test'
 attack_data:
  data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/aws_kms_key/aws_cloudtrail_events.json
  sourcetype: aws:cloudtrail
  source: aws_cloudtrail
manual_test:None