Suspicious AWS S3 bucket encryption configuration

ID:aws_s3_external_kms_bucket_encryption

Data type:AWS CloudTrail

Severity:

Medium

Description

AlphaSOC detected suspicious AWS S3 bucket encryption configuration activity. By altering encryption configurations for a bucket, adversaries can potentially set up encryption with keys they control, enabling them to hold data for ransom.

Impact

Unauthorized changes to AWS S3 bucket encryption settings could indicate an attempt to encrypt sensitive data using an attacker-controlled KMS key, potentially to hold the data for ransom. This can lead to data unavailability and operational disruption for the organization.

Severity

Severity	Condition
Medium	Suspicious AWS S3 bucket encryption configuration

Investigation and Remediation

Review CloudTrail logs to identify the source of the encryption configuration changes and verify whether they were authorized. If unauthorized, immediately revert the changes, rotate any potentially compromised credentials, and audit the AWS environment for other signs of compromise.

Description​

Impact​

Severity​

Investigation and Remediation​

Description

Impact

Severity

Investigation and Remediation