Update AWS KMS post-exploitation documentation

carlospolop · web-flow · commit 1077cf6f891e · 2025-10-07T11:02:01.000+02:00
Clarified KMS policy restrictions and updated ransomware sections.
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-kms-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-kms-post-exploitation.md
@@ -98,23 +98,22 @@ aws kms put-key-policy --key-id mrk-c10357313a644d69b4b28b88523ef20c \
 ```
 
 > [!CAUTION]
-> Note that if you change that policy and only give access to an external account, and then from this external account you try to set a new policy to **give the access back to original account, you won't be able cause the Put Polocy action cannot be perfoemed from a cross account**.
+> Note that if you change that policy and only give access to an external account, and then from this external account you try to set a new policy to **give the access back to original account, you won't be able cause the Put Polocy action cannot be performed from a cross account**.
 
 <figure><img src="../../../images/image (77).png" alt=""><figcaption></figcaption></figure>
 
 ### Generic KMS Ransomware
 
-#### Global KMS Ransomware
-
 There is another way to perform a global KMS Ransomware, which would involve the following steps:
 
 - Create a new **key with a key material** imported by the attacker
-- **Re-encrypt older data** encrypted with the previous version with the new one.
+- **Re-encrypt older data** of the victim encrypted with the previous version with the new one.
 - **Delete the KMS key**
 - Now only the attacker, who has the original key material could be able to decrypt the encrypted data
 
-#### Ransomware via kms:DeleteImportedKeyMaterial
-With the `kms:DeleteImportedKeyMaterial` permission, an actor can delete the imported key material from CMKs with Origin=EXTERNAL, making them unable to decrypt data. This action is destructive and irreversible unless compatible material is re-imported, allowing an attacker to effectively cause ransomware-like data loss by rendering encrypted information permanently inaccessible.
+### Delete Keys via kms:DeleteImportedKeyMaterial
+
+With the `kms:DeleteImportedKeyMaterial` permission, an actor can delete the imported key material from CMKs with `Origin=EXTERNAL` (CMKs that have imperted their key material), making them unable to decrypt data. This action is destructive and irreversible unless compatible material is re-imported, allowing an attacker to effectively cause ransomware-like data loss by rendering encrypted information permanently inaccessible.
 
 ```bash
 aws kms delete-imported-key-material --key-id <Key_ID>
@@ -123,10 +122,9 @@ aws kms delete-imported-key-material --key-id <Key_ID>
 
 ### Destroy keys
 
-```bash
-# Destoy they key material previously imported making the key useless
-aws kms delete-imported-key-material --key-id 1234abcd-12ab-34cd-56ef-1234567890ab
+Destroying keys it's possible to perform a DoS.
 
+```bash
 # Schedule the destoy of a key (min wait time is 7 days)
 aws kms schedule-key-deletion \
     --key-id arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab \
