[Rule Tuning] AWS S3 Object Encryption Using External KMS Key

Rule is alerting as expected, with low telemetry volume. Updates to rule query are to provide more alert context as an ESQL rule.
- reduced execution window
- added additional fields for more alert context, include customer-requested `data_stream.namespace` field
- added highlighted fields
- updated description and investigation guide

Author: imays11

rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml

@@ -2,61 +2,143 @@
 creation_date = "2024/07/02"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/12/02"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies `CopyObject` events within an S3 bucket using an AWS KMS key from an external account for encryption.
-Adversaries with access to a misconfigured S3 bucket and the proper permissions may encrypt objects with an external KMS
-key to deny their victims access to their own data.
+Identifies use of the S3 CopyObject API where the destination object is encrypted using an AWS KMS key from an external
+AWS account. This behavior may indicate ransomware-style impact activity where an adversary with access to a
+misconfigured S3 bucket encrypts objects using a KMS key they control, preventing the bucket owner from decrypting their
+own data. This technique is a critical early signal of destructive intent or cross-account misuse.
 """
 false_positives = [
     """
-    Administrators within an AWS Organization structure may legitimately encrypt bucket objects with a key from an
-    account different from the target bucket. Ensure that this behavior is not part of a legitimate operation before
-    taking action.
+    Cross-account KMS key usage may be legitimate in multi-account AWS Organizations architectures where centralized
+    encryption keys are used for data governance or auditing workflows. Confirm whether the external KMS key belongs to
+    an expected account before taking action. Data migration or cross-account backup workflows may legitimately
+    re-encrypt S3 objects using a key in another account. Ensure these workflows are documented, tied to known IAM
+    roles, and occur on predictable schedules.
     """,
 ]
-from = "now-9m"
+from = "now-6m"
 language = "esql"
 license = "Elastic License v2"
 name = "AWS S3 Object Encryption Using External KMS Key"
 note = """## Triage and analysis
 
-### Investigating AWS S3 Object Encryption Using External KMS Key
-
-This rule detects the use of an external AWS KMS key to encrypt objects within an S3 bucket. Adversaries with access to a misconfigured S3 bucket may use an external key to copy objects within a bucket and deny victims the ability to access their own data.
-This rule uses [ESQL](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-esql-rule) to look for use of the `CopyObject` operation where the target bucket's `cloud.account.id` is different from the `key.account.id` dissected from the AWS KMS key used for encryption.
-
-#### Possible Investigation Steps:
-
-- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who performed the action. Verify if this actor typically performs such actions and if they have the necessary permissions.
-- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific details of the `CopyObject` action. Look for any unusual parameters that could suggest unauthorized or malicious modifications or usage of an unknown KMS keyId.
-- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.
-- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the object was copied. Changes during non-business hours or outside regular maintenance windows might require further scrutiny.
-- **Correlate with Other Activities**: Search for related CloudTrail events before and after this action to see if the same actor or IP address engaged in other potentially suspicious activities.
-- **Check for Object Deletion or Access**: Look for `DeleteObject`, `DeleteObjects`, or `GetObject` API calls to the same S3 bucket that may indicate the adversary accessing and destroying objects including older object versions.
-- **Interview Relevant Personnel**: If the copy event was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing S3 buckets.
-
-### False Positive Analysis:
-
-- **Legitimate Administrative Actions**: Confirm if the `CopyObject` action aligns with scheduled updates, maintenance activities, or legitimate administrative tasks documented in change management systems.
-- **Consistency Check**: Compare the action against historical data of similar activities performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.
-
-### Response and Remediation:
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. 
+> While every effort has been made to ensure its quality, validate and adapt it to suit your operational needs.
 
-- **Immediate Review**: If the activity was unauthorized, search for potential ransom note placed in S3 bucket and review the bucket's access logs for any suspicious activity.
-- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar `CopyObject` actions, especially those involving sensitive data or unusual file extensions.
-- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning S3 bucket management and the risks of ransomware.
-- **Audit S3 Bucket Policies and Permissions**: Conduct a comprehensive audit of all S3 bucket policies and associated permissions to ensure they adhere to the principle of least privilege.
-- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.
-
-### Additional Information:
+### Investigating AWS S3 Object Encryption Using External KMS Key
 
-For further guidance on managing S3 bucket security and protecting against ransomware, refer to the [AWS S3 documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html) and AWS best practices for security. Additionally, consult the following resources for specific details on S3 ransomware protection:
-- [ERMETIC REPORT - AWS S3 Ransomware Exposure in the Wild](https://s3.amazonaws.com/bizzabo.file.upload/PtZzA0eFQwV2RA5ysNeo_ERMETIC%20REPORT%20-%20AWS%20S3%20Ransomware%20Exposure%20in%20the%20Wild.pdf)
-- [S3 Ransomware Part 1: Attack Vector](https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/)
+This rule detects when an S3 `CopyObject` operation encrypts an object using a KMS key belonging to a different AWS account than the bucket owner. This behavior is unusual and a strong indicator of:
+
+- Cloud ransomware techniques, where adversaries encrypt data using a key only they control.
+- Cross-account privilege misuse, especially when an unauthorized principal has write access to S3.
+- Misconfigured bucket permissions, enabling principals from another account to perform privileged copy operations.
+- Early impact-stage activity in incidents where attackers prepare to destroy availability or deny the owner access.
+
+The rule uses ESQL to identify cases where the `cloud.account.id` (bucket owner) differs from the dissected `kms_key_account_id` used for encrypting the new object version.
+
+
+#### Possible investigation steps
+
+**Identify the actor and access pathway**
+- Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id`.
+- Check whether the caller is:
+  - A legitimate cross-account automation role,  
+  - A compromised IAM user or workload identity, or  
+  - A federated identity behaving outside of normal patterns.
+- Inspect `user_agent.original` to determine whether the action came from the AWS Console, CLI, SDK, or unusual tooling.
+
+**Analyze the encryption behavior**
+- Inspect the dissected KMS key fields:
+  - `Esql.aws_cloudtrail_request_parameters_kms_key_account_id`
+  - `Esql.aws_cloudtrail_request_parameters_kms_key_id`
+- Confirm whether the external key:
+  - Belongs to an attacker-controlled account,  
+  - Is unknown to your organization, or  
+  - Lives in a shared or security tooling account.
+
+**Assess the objects affected**
+- Review:
+  - `Esql.aws_cloudtrail_request_parameters_target_bucket_name`
+  - `Esql.aws_cloudtrail_request_parameters_target_object_key`
+- Identify:
+  - Whether objects were overwritten or new encrypted copies were created.
+  - The sensitivity or criticality of the affected data.
+  - Whether object versioning is enabled (important for recovery).
+
+**Correlate surrounding access patterns**
+Pivot in CloudTrail on:
+- The same access key ID  
+- The same IAM principal  
+- Affected bucket ARN  
+
+Look for:
+- `DeleteObject` or `DeleteObjects` calls (common in ransomware behavior)
+- Mass enumeration prior to the event (`ListObjectsV2`, `GetObject`)
+- Other impact-stage actions (`PutBucketPolicy`, `PutBucketAcl`, disabling logging)
+- Attempts to encrypt additional objects in rapid succession
+
+**Evaluate bucket permissions and exposure**
+Review:
+- S3 bucket policy changes
+- IAM roles with `s3:PutObject` or `s3:PutObjectAcl` permissions
+- Whether unintended cross-account `Principal` entries exist
+- Whether the KMS key policy explicitly trusts your account or a foreign one
+
+**Validate business justification**
+- Confirm with storage, data engineering, or application teams whether:
+  - Any migration, transformation, or backup workflows should be encrypting objects cross-account.
+  - Scheduled jobs or CI/CD pipelines were operating at the time of the event.
+
+### False positive analysis
+
+- **Expected cross-account encryption**  
+  Many organizations use centralized encryption accounts or shared security accounts. Validate:
+  - Whether the KMS key account is part of your AWS Organization
+  - Whether the workflow, role, or application is documented
+  - Whether the principal routinely performs CopyObject operations
+
+### Response and remediation
+
+**Contain and prevent further impact**
+- Immediately restrict S3 write access for the principal involved.
+- If the KMS key is attacker-controlled, the impacted objects may be unrecoverable without versioning.
+- If object versioning is disabled, enable it on the affected bucket to strengthen future resilience.
+
+**Investigate scope and severity**
+- Identify:
+  - Additional objects encrypted using external keys
+  - Related suspicious actions (delete, modify, exfiltration events)
+  - Whether any ransom markers or unauthorized files were uploaded
+- Validate whether the external KMS key grants *decrypt* permission back to the bucket owner (rare in attacker use).
+
+**Recover and secure the bucket**
+- Restore accessible previous versions if versioning is enabled.
+- Revoke unauthorized access key pairs or session credentials.
+- Audit bucket policies, ACLs, and IAM conditions (`aws:PrincipalArn`, `aws:SourceAccount`, `aws:SourceArn`).
+- Tighten cross-account access controls:
+  - Remove unintended `Principal` clauses
+  - Restrict KMS usage to known accounts
+  - Enforce SCPs that block cross-account KMS use unless explicitly approved
+
+**Long-term hardening**
+- Integrate object-level access logging and S3 server access logging into security monitoring.
+- Add AWS Config rules (or Security Hub controls) detecting:
+  - Public buckets
+  - Cross-account access to S3
+  - KMS policies permitting foreign principals
+- Document required cross-account workflows and add explicit allowlists.
+
+### Additional information
+
+- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** 
+- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** 
+- **Security Best Practices:** [AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/).
 """
 references = [
     "https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html/",
@@ -66,7 +148,7 @@ references = [
 ]
 risk_score = 47
 rule_id = "ab8f074c-5565-4bc4-991c-d49770e19fc9"
-setup = "AWS S3 data event types need to be enabled in the CloudTrail trail configuration."
+setup = "AWS S3 data event types need to be enabled in the CloudTrail trail configuration for CopyObject events."
 severity = "medium"
 tags = [
     "Domain: Cloud",
@@ -101,13 +183,25 @@ from logs-aws.cloudtrail-* metadata _id, _version, _index
 // keep ECS and dissected fields
 | keep
   @timestamp,
+  data_stream.namespace,
+  user.name,
+  user_agent.original,
+  source.ip,
   aws.cloudtrail.user_identity.arn,
-  cloud.account.id,
+  aws.cloudtrail.user_identity.type,
+  aws.cloudtrail.user_identity.access_key_id,
+  aws.cloudtrail.resources.arn,
+  aws.cloudtrail.resources.type,
   event.action,
+  event.outcome,
+  cloud.account.id,
+  cloud.region,
+  aws.cloudtrail.request_parameters,
+  aws.cloudtrail.response_elements,
   Esql.aws_cloudtrail_request_parameters_target_bucket_name,
+  Esql.aws_cloudtrail_request_parameters_target_object_key,
   Esql.aws_cloudtrail_request_parameters_kms_key_account_id,
-  Esql.aws_cloudtrail_request_parameters_kms_key_id,
-  Esql.aws_cloudtrail_request_parameters_target_object_key
+  Esql.aws_cloudtrail_request_parameters_kms_key_id
 '''
 
 
@@ -124,3 +218,26 @@ id = "TA0040"
 name = "Impact"
 reference = "https://attack.mitre.org/tactics/TA0040/"
 
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "user.name",
+    "user_agent.original",
+    "source.ip",
+    "aws.cloudtrail.user_identity.arn",
+    "aws.cloudtrail.user_identity.type",
+    "aws.cloudtrail.user_identity.access_key_id",
+    "aws.cloudtrail.resources.arn",
+    "aws.cloudtrail.resources.type",
+    "event.action",
+    "event.outcome",
+    "cloud.account.id",
+    "cloud.region",
+    "aws.cloudtrail.request_parameters",
+    "aws.cloudtrail.response_elements",
+    "Esql.aws_cloudtrail_request_parameters_target_bucket_name",
+    "Esql.aws_cloudtrail_request_parameters_target_object_key",
+    "Esql.aws_cloudtrail_request_parameters_kms_key_account_id",
+    "Esql.aws_cloudtrail_request_parameters_kms_key_id",
+]
+