← Back to Explore
splunk_escuTTP
ASL AWS Detect Users creating keys with encrypt policy without MFA
The following analytic detects the creation of AWS KMS keys with an encryption policy accessible to everyone, including external entities. It leverages AWS CloudTrail logs from Amazon Security Lake to identify `CreateKey` or `PutKeyPolicy` events where the `kms:Encrypt` action is granted to all principals. This activity is significant as it may indicate a compromised account, allowing an attacker to misuse the encryption key to target other organizations. If confirmed malicious, this could lead to unauthorized data encryption, potentially disrupting operations and compromising sensitive information across multiple entities.
Detection Query
`amazon_security_lake` api.operation=PutKeyPolicy OR api.operation=CreateKey
| spath input=api.request.data path=policy output=policy
| spath input=policy
| rename Statement{}.Action as Action, Statement{}.Principal as Principal
| eval Statement=mvzip(Action,Principal,"
| ")
| mvexpand Statement
| eval action=mvindex(split(Statement, "
| "), 0)
| eval principal=mvindex(split(Statement, "
| "), 1)
| search action=kms*
| regex principal="\*"
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY actor.user.uid api.operation api.service.name
http_request.user_agent src_endpoint.ip actor.user.account.uid
cloud.provider cloud.region api.request.data
| rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter`Author
Patrick Bareiss, Splunk
Created
2026-03-10
Data Sources
ASL AWS CloudTrail
References
Tags
Ransomware Cloud
Raw Content
name: ASL AWS Detect Users creating keys with encrypt policy without MFA
id: 16ae9076-d1d5-411c-8fdd-457504b33dac
version: 6
date: '2026-03-10'
author: Patrick Bareiss, Splunk
status: production
type: TTP
description: The following analytic detects the creation of AWS KMS keys with an encryption policy accessible to everyone, including external entities. It leverages AWS CloudTrail logs from Amazon Security Lake to identify `CreateKey` or `PutKeyPolicy` events where the `kms:Encrypt` action is granted to all principals. This activity is significant as it may indicate a compromised account, allowing an attacker to misuse the encryption key to target other organizations. If confirmed malicious, this could lead to unauthorized data encryption, potentially disrupting operations and compromising sensitive information across multiple entities.
data_source:
- ASL AWS CloudTrail
search: |-
`amazon_security_lake` api.operation=PutKeyPolicy OR api.operation=CreateKey
| spath input=api.request.data path=policy output=policy
| spath input=policy
| rename Statement{}.Action as Action, Statement{}.Principal as Principal
| eval Statement=mvzip(Action,Principal,"
| ")
| mvexpand Statement
| eval action=mvindex(split(Statement, "
| "), 0)
| eval principal=mvindex(split(Statement, "
| "), 1)
| search action=kms*
| regex principal="\*"
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY actor.user.uid api.operation api.service.name
http_request.user_agent src_endpoint.ip actor.user.account.uid
cloud.provider cloud.region api.request.data
| rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter`
how_to_implement: The detection is based on Cloudtrail events from Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.
known_false_positives: No false positives have been identified at this time.
references:
- https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/
- https://github.com/d1vious/git-wild-hunt
- https://www.youtube.com/watch?v=PgzNib37g0M
drilldown_searches:
- name: View the detection results for - "$user$"
search: '%original_detection_search% | search user = "$user$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
rba:
message: AWS account is potentially compromised and user $user$ is trying to compromise other accounts
risk_objects:
- field: user
type: user
score: 50
threat_objects: []
tags:
analytic_story:
- Ransomware Cloud
asset_type: AWS Account
mitre_attack_id:
- T1486
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
security_domain: threat
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/aws_kms_key/asl_ocsf_cloudtrail.json
sourcetype: aws:asl
source: aws_asl