AWS Detect Users creating keys with encrypt policy without MFA

name: AWS Detect Users creating keys with encrypt policy without MFA
id: c79c164f-4b21-4847-98f9-cf6a9f49179e
version: 9
date: '2026-03-10'
author: Rod Soto, Patrick Bareiss Splunk
status: production
type: TTP
description: The following analytic detects the creation of AWS KMS keys with an encryption policy accessible to everyone, including external entities. It leverages AWS CloudTrail logs to identify `CreateKey` or `PutKeyPolicy` events where the `kms:Encrypt` action is granted to all principals. This activity is significant as it may indicate a compromised account, allowing an attacker to misuse the encryption key to target other organizations. If confirmed malicious, this could lead to unauthorized data encryption, potentially disrupting operations and compromising sensitive information across multiple entities.
data_source:
    - AWS CloudTrail CreateKey
    - AWS CloudTrail PutKeyPolicy
search: |-
    `cloudtrail` eventName=CreateKey OR eventName=PutKeyPolicy
      | spath input=requestParameters.policy output=key_policy_statements path=Statement{}
      | mvexpand key_policy_statements
      | spath input=key_policy_statements output=key_policy_action_1 path=Action
      | spath input=key_policy_statements output=key_policy_action_2 path=Action{}
      | eval key_policy_action=mvappend(key_policy_action_1,key_policy_action_2)
      | spath input=key_policy_statements output=key_policy_principal path=Principal.AWS
      | search key_policy_action="kms:Encrypt" AND key_policy_principal="*"
      | rename user_name as user
      | stats count min(_time) as firstTime max(_time) as lastTime
        BY signature dest user
           user_agent src vendor_account
           vendor_region vendor_product key_policy_action
           key_policy_principal
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter`
how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs
known_false_positives: No false positives have been identified at this time.
references:
    - https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/
    - https://github.com/d1vious/git-wild-hunt
    - https://www.youtube.com/watch?v=PgzNib37g0M
drilldown_searches:
    - name: View the detection results for - "$user$"
      search: '%original_detection_search% | search  user = "$user$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$user$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: AWS account is potentially compromised and user $user$ is trying to compromise other accounts.
    risk_objects:
        - field: user
          type: user
          score: 50
    threat_objects: []
tags:
    analytic_story:
        - Ransomware Cloud
    asset_type: AWS Account
    mitre_attack_id:
        - T1486
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: threat
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/aws_kms_key/aws_cloudtrail_events.json
          sourcetype: aws:cloudtrail
          source: aws_cloudtrail