AWS S3 object encrypted using an external KMS key

ID:aws_s3_external_kms_encryption

Data type:AWS CloudTrail

Severity:

Medium

Description

AlphaSOC detected that an AWS S3 object was encrypted using an external Key Management Service (KMS) key. This activity may suggest that an adversary is attempting to manipulate, interrupt, or encrypt data in your AWS environment.

Impact

The use of a KMS key from an external or unknown account can potentially indicate that your AWS environment is compromised. Threat actors with access to your system may encrypt data for financial gain (ransomware) or to disrupt business operations.

Severity

Severity	Condition
Medium	AWS S3 object encrypted using an external KMS key

Investigation and Remediation

Confirm whether the use of the external KMS key is authorized. If unauthorized, identify and rotate all potentially compromised credentials. Restore AWS S3 objects from backups, if possible. To prevent future occurrences, review policies for KMS key usage and ensure versioning is enabled on critical AWS S3 buckets.

Description​

Impact​

Severity​

Investigation and Remediation​

Further reading​

Description

Impact

Severity

Investigation and Remediation

Further reading