AWS API calls indicating KMS privilege escalation
Description
AlphaSOC detected an IAM policy change granting full CRUD (Create, Read, Update,
Delete) permissions on AWS Key Management Service resources. This detection
identifies policies combining kms:Create*, kms:Get*/Describe*,
kms:Enable*/Disable*, and kms:Delete* permissions and triggers on the
following policy events: CreatePolicy, CreatePolicyVersion, PutUserPolicy,
PutGroupPolicy, PutRolePolicy, AttachUserPolicy, AttachRolePolicy,
AttachGroupPolicy that introduce these permissions.
Full CRUD permissions grant complete control over encryption key management, allowing threat actors to decrypt sensitive data, modify key policies to grant themselves additional access, or disable keys to disrupt encrypted services.
With these permissions, an attacker can decrypt data encrypted by any key they can access, modify key policies to grant persistent access to other principals, schedule key deletion to cause widespread service disruptions, create new keys to re-encrypt data under their control, or access key metadata to identify high-value encryption targets. This level of access bypasses application-level controls since KMS permissions override service-specific encryption settings.
Impact
If exploited, the attacker gains access to encrypted data across services including databases, object storage, secrets, and backups. This enables credential theft from Secrets Manager, data exfiltration from encrypted S3 buckets and RDS instances, service disruption through key deletion, and persistent access through modified key policies. Since many AWS services depend on KMS for encryption, compromised key access can cascade across the environment.
Severity
| Severity | Condition |
|---|---|
Low | AWS API calls indicating KMS privilege escalation |
Investigation and Remediation
Check CloudTrail for the PutUserPolicy, PutGroupPolicy, PutRolePolicy, or
Attach\*Policy event that added KMS permissions. Identify the target principal
and review the requestParameters field to examine the exact permissions
granted. Verify whether full CRUD permissions on KMS are required for legitimate
use.
If unauthorized, immediately detach or delete the policy. Review CloudTrail for
any Decrypt, DescribeKey, PutKeyPolicy, ScheduleKeyDeletion,
DisableKey, or CreateKey actions performed by the affected principal after
the policy change. Check KMS key policies for unauthorized modifications and
examine recent decryption operations against encrypted resources.
If suspicious activity is found, rotate credentials for the affected principal and review KMS key policies for unauthorized changes. Revert any modified key policies and cancel any scheduled key deletions. Enable key rotation for affected keys and audit recent decryption operations. Review access to encrypted resources that may have been compromised during the exploitation window.
Known False Positives
- Authorized security teams provisioning KMS management permissions for key administration
- Infrastructure-as-code deployments creating service roles requiring KMS access across multiple keys